diff options
| author | Aaron Schulz <aschulz@wikimedia.org> | 2014-04-30 00:51:35 -0700 |
|---|---|---|
| committer | Aaron Schulz <aschulz@wikimedia.org> | 2014-04-30 00:51:35 -0700 |
| commit | 40e5324ece9e4d1bdefa48c1e800d42dd1cbec2f (patch) | |
| tree | 9fb69b3979fab2e84f4963102494789cc1af57e9 /thumb.php | |
| parent | 06db1a2335826d7da5da2a47ddec44a08094376d (diff) | |
| download | mediawikicore-40e5324ece9e4d1bdefa48c1e800d42dd1cbec2f.tar.gz mediawikicore-40e5324ece9e4d1bdefa48c1e800d42dd1cbec2f.zip | |
Moved isDeleted() check down to avoid information leakage in thumb.php
Change-Id: Idcbf79ef7c82f5bcf3c0ab1002fde2201d81313f
Diffstat (limited to 'thumb.php')
| -rw-r--r-- | thumb.php | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/thumb.php b/thumb.php index c5da918e0864..1f823bd8661e 100644 --- a/thumb.php +++ b/thumb.php @@ -163,12 +163,6 @@ function wfStreamThumb( array $params ) { return; } - // Check if the file is hidden - if ( $img->isDeleted( File::DELETED_FILE ) ) { - wfThumbError( 404, "The source file '$fileName' does not exist." ); - return; - } - // Check permissions if there are read restrictions $varyHeader = array(); if ( !in_array( 'read', User::getGroupPermissions( array( '*' ) ), true ) ) { @@ -181,6 +175,12 @@ function wfStreamThumb( array $params ) { $varyHeader[] = 'Cookie'; } + // Check if the file is hidden + if ( $img->isDeleted( File::DELETED_FILE ) ) { + wfThumbError( 404, "The source file '$fileName' does not exist." ); + return; + } + // Do rendering parameters extraction from thumbnail name. if ( isset( $params['thumbName'] ) ) { $params = wfExtractThumbParams( $img, $params ); |