MediaWiki REL1_28
img_auth.php
Go to the documentation of this file.
1<?php
40define( 'MW_NO_OUTPUT_COMPRESSION', 1 );
41require __DIR__ . '/includes/WebStart.php';
42
43# Set action base paths so that WebRequest::getPathInfo()
44# recognizes the "X" as the 'title' in ../img_auth.php/X urls.
45$wgArticlePath = false; # Don't let a "/*" article path clober our action path
46$wgActionPaths = [ "$wgUploadPath/" ];
47
48wfImageAuthMain();
49
50$mediawiki = new MediaWiki();
51$mediawiki->doPostOutputShutdown( 'fast' );
52
53function wfImageAuthMain() {
54 global $wgImgAuthUrlPathMap;
55
56 $request = RequestContext::getMain()->getRequest();
57 $publicWiki = in_array( 'read', User::getGroupPermissions( [ '*' ] ), true );
58
59 // Get the requested file path (source file or thumbnail)
60 $matches = WebRequest::getPathInfo();
61 if ( !isset( $matches['title'] ) ) {
62 wfForbidden( 'img-auth-accessdenied', 'img-auth-nopathinfo' );
63 return;
64 }
65 $path = $matches['title'];
66 if ( $path && $path[0] !== '/' ) {
67 // Make sure $path has a leading /
68 $path = "/" . $path;
69 }
70
71 // Check for bug 28235: QUERY_STRING overriding the correct extension
72 $whitelist = [];
73 $extension = FileBackend::extensionFromPath( $path, 'rawcase' );
74 if ( $extension != '' ) {
75 $whitelist[] = $extension;
76 }
77 if ( !$request->checkUrlExtension( $whitelist ) ) {
78 return;
79 }
80
81 // Various extensions may have their own backends that need access.
82 // Check if there is a special backend and storage base path for this file.
83 foreach ( $wgImgAuthUrlPathMap as $prefix => $storageDir ) {
84 $prefix = rtrim( $prefix, '/' ) . '/'; // implicit trailing slash
85 if ( strpos( $path, $prefix ) === 0 ) {
86 $be = FileBackendGroup::singleton()->backendFromPath( $storageDir );
87 $filename = $storageDir . substr( $path, strlen( $prefix ) ); // strip prefix
88 // Check basic user authorization
89 if ( !RequestContext::getMain()->getUser()->isAllowed( 'read' ) ) {
90 wfForbidden( 'img-auth-accessdenied', 'img-auth-noread', $path );
91 return;
92 }
93 if ( $be->fileExists( [ 'src' => $filename ] ) ) {
94 wfDebugLog( 'img_auth', "Streaming `" . $filename . "`." );
95 $be->streamFile( [ 'src' => $filename ],
96 [ 'Cache-Control: private', 'Vary: Cookie' ] );
97 } else {
98 wfForbidden( 'img-auth-accessdenied', 'img-auth-nofile', $path );
99 }
100 return;
101 }
102 }
103
104 // Get the local file repository
105 $repo = RepoGroup::singleton()->getRepo( 'local' );
106 $zone = strstr( ltrim( $path, '/' ), '/', true );
107
108 // Get the full file storage path and extract the source file name.
109 // (e.g. 120px-Foo.png => Foo.png or page2-120px-Foo.png => Foo.png).
110 // This only applies to thumbnails/transcoded, and each of them should
111 // be under a folder that has the source file name.
112 if ( $zone === 'thumb' || $zone === 'transcoded' ) {
113 $name = wfBaseName( dirname( $path ) );
114 $filename = $repo->getZonePath( $zone ) . substr( $path, strlen( "/" . $zone ) );
115 // Check to see if the file exists
116 if ( !$repo->fileExists( $filename ) ) {
117 wfForbidden( 'img-auth-accessdenied', 'img-auth-nofile', $filename );
118 return;
119 }
120 } else {
121 $name = wfBaseName( $path ); // file is a source file
122 $filename = $repo->getZonePath( 'public' ) . $path;
123 // Check to see if the file exists and is not deleted
124 $bits = explode( '!', $name, 2 );
125 if ( substr( $path, 0, 9 ) === '/archive/' && count( $bits ) == 2 ) {
126 $file = $repo->newFromArchiveName( $bits[1], $name );
127 } else {
128 $file = $repo->newFile( $name );
129 }
130 if ( !$file->exists() || $file->isDeleted( File::DELETED_FILE ) ) {
131 wfForbidden( 'img-auth-accessdenied', 'img-auth-nofile', $filename );
132 return;
133 }
134 }
135
136 $headers = []; // extra HTTP headers to send
137
138 if ( !$publicWiki ) {
139 // For private wikis, run extra auth checks and set cache control headers
140 $headers[] = 'Cache-Control: private';
141 $headers[] = 'Vary: Cookie';
142
143 $title = Title::makeTitleSafe( NS_FILE, $name );
144 if ( !$title instanceof Title ) { // files have valid titles
145 wfForbidden( 'img-auth-accessdenied', 'img-auth-badtitle', $name );
146 return;
147 }
148
149 // Run hook for extension authorization plugins
151 $result = null;
152 if ( !Hooks::run( 'ImgAuthBeforeStream', [ &$title, &$path, &$name, &$result ] ) ) {
153 wfForbidden( $result[0], $result[1], array_slice( $result, 2 ) );
154 return;
155 }
156
157 // Check user authorization for this title
158 // Checks Whitelist too
159 if ( !$title->userCan( 'read' ) ) {
160 wfForbidden( 'img-auth-accessdenied', 'img-auth-noread', $name );
161 return;
162 }
163 }
164
165 $options = []; // HTTP header options
166 if ( isset( $_SERVER['HTTP_RANGE'] ) ) {
167 $options['range'] = $_SERVER['HTTP_RANGE'];
168 }
169 if ( isset( $_SERVER['HTTP_IF_MODIFIED_SINCE'] ) ) {
170 $options['if-modified-since'] = $_SERVER['HTTP_IF_MODIFIED_SINCE'];
171 }
172
173 if ( $request->getCheck( 'download' ) ) {
174 $headers[] = 'Content-Disposition: attachment';
175 }
176
177 // Stream the requested file
178 wfDebugLog( 'img_auth', "Streaming `" . $filename . "`." );
179 $repo->streamFile( $filename, $headers, $options );
180}
181
189function wfForbidden( $msg1, $msg2 ) {
190 global $wgImgAuthDetails;
191
192 $args = func_get_args();
193 array_shift( $args );
194 array_shift( $args );
195 $args = ( isset( $args[0] ) && is_array( $args[0] ) ) ? $args[0] : $args;
196
197 $msgHdr = wfMessage( $msg1 )->escaped();
198 $detailMsgKey = $wgImgAuthDetails ? $msg2 : 'badaccess-group0';
199 $detailMsg = wfMessage( $detailMsgKey, $args )->escaped();
200
201 wfDebugLog( 'img_auth',
202 "wfForbidden Hdr: " . wfMessage( $msg1 )->inLanguage( 'en' )->text() . " Msg: " .
203 wfMessage( $msg2, $args )->inLanguage( 'en' )->text()
204 );
205
206 HttpStatus::header( 403 );
207 header( 'Cache-Control: no-cache' );
208 header( 'Content-Type: text/html; charset=utf-8' );
209 echo <<<ENDS
210<!DOCTYPE html>
211<html>
212<head>
213<meta charset="UTF-8" />
214<title>$msgHdr</title>
215</head>
216<body>
217<h1>$msgHdr</h1>
218<p>$detailMsg</p>
219</body>
220</html>
221ENDS;
222}
text
design txt This is a brief overview of the new design More thorough and up to date information is available on the documentation wiki at etc Handles the details of getting and saving to the user table of the and dealing with sessions and cookies OutputPage Encapsulates the entire HTML page that will be sent in response to any server request It is used by calling its functions to add text
Definition design.txt:18
$wgArticlePath
$wgArticlePath
Definition img_auth.php:45
php
injection txt This is an overview of how MediaWiki makes use of dependency injection The design described here grew from the discussion of RFC T384 The term dependency this means that anything an object needs to operate should be injected from the the object itself should only know narrow no concrete implementation of the logic it relies on The requirement to inject everything typically results in an architecture that based on two main types of and essentially stateless service objects that use other service objects to operate on the value objects As of the beginning MediaWiki is only starting to use the DI approach Much of the code still relies on global state or direct resulting in a highly cyclical dependency which acts as the top level factory for services in MediaWiki which can be used to gain access to default instances of various services MediaWikiServices however also allows new services to be defined and default services to be redefined Services are defined or redefined by providing a callback the instantiator that will return a new instance of the service When it will create an instance of MediaWikiServices and populate it with the services defined in the files listed by thereby bootstrapping the DI framework Per $wgServiceWiringFiles lists includes ServiceWiring php
Definition injection.txt:37
Content
Base interface for content objects.
Definition Content.php:34
cache
you have access to all of the normal MediaWiki so you can get a DB use the cache
Definition maintenance.txt:55
title
title
Definition parserTests.txt:211