aboutsummaryrefslogtreecommitdiffstats
path: root/img_auth.php
Commit message (Collapse)AuthorAgeFilesLines
...
* Changing URLs of mediawiki.org in scripts to the SSL-based websiteLadsgroup2014-03-121-1/+1
| | | | | | | | http://www.mediawiki.org --> https://www.mediawiki.org Part 2 Change-Id: I3be61fe3dfb502cc20180486eb1a8016eac151df
* SECURITY: Added missing auth check in img_auth.phpAaron Schulz2014-01-131-1/+6
| | | | | | | For $wgImgAuthUrlPathMap in img_auth.php Bug: 57016 Change-Id: I874878322a91bf14091500223d3520861a1556bb
* Added support to img_auth.php for non-repo containersAaron Schulz2013-12-041-4/+23
| | | | | | | | * This adds a new $wgImgAuthUrlPathMap config variable * Also fixed ImgAuthBeforeStream hook msg formatting bug: 51136 Change-Id: I77528f92b20670e3b09adc79c49e62060f1614f3
* phpcs: More require/include is not a functionTimo Tijhof2013-05-211-1/+1
| | | | | | | | | | | | | Follows-up I1343872de7, Ia533aedf63 and I2df2f80b81. Also updated usage in text in documentation and the installer LocalSettingsGenerator. Most of them were handled by this regex: - find: (require|include|require_once|include_once)\s*\(\s*(.+?)\s*\)\s*;$ - replace: $1 $2; Change-Id: I6b38aad9a5149c9c43ce18bd8edbab14b8ce43fa
* cleanup: variable referenced without initializationYuri Astrakhan2013-05-151-0/+2
| | | | | | declared so that IDE knows how to use it and initialized Change-Id: I4841fd3f03220f837c981951f07c1c21ddbd76af
* Remove hphpc support and deprecate related functionsTim Starling2013-05-091-5/+1
| | | | | | | | | | | | | | | | | hphpc has been superseded by hhvm, so support for hphpc is no longer needed. * Continue to use Preprocessor_Hash under HipHop since it is still faster under hhvm * Keep $wgCompiledFiles for now, so that wikihiero doesn't give an error before Ic9d1e795 is merged * Migrate the run-server script and associated configuration file to hhvm. Enable EnableStaticContentFromDisk since it doesn't seem ridiculously inefficient at first glance. Run from $IP rather than $IP/.. since hhvm is apparently not picky about sourcing files from outside of the current directory. Change-Id: Ic3e769f1fbad4f7ad26dd819406796fee48c6b45
* Update code formattingSiebrand Mazeland2013-02-141-5/+5
| | | | Change-Id: I8741b5b979e55f38a666961a16c387586a92410e
* style: fix up commas in function argumentsAntoine Musso2013-02-061-1/+1
| | | | | | | | | | | | Fix up spaces in our function calls, we do not want spaces before a comma and try to avoid multiple commas whenever possible. Errors: * No space found after comma in function call * Space found before comma in function call Change-Id: I51aec02016f742422fa60b92ad35ba3f0ef59ba3
* Simplified thumb.php for 404 handling.Aaron Schulz2012-11-081-1/+1
| | | | | | | * Made thumb_handler.php "just work" in a way similar to img_auth. It no longer needs any "handlerUrl" setting to be set. Change-Id: I557ba1f94db3cef0f21f5c0e2b60d8e381ea3f96
* Use __DIR__ instead of dirname( __FILE__ )jeroendedauw2012-08-271-1/+1
| | | | | | We can now do this since we finally switched to PHP 5.3 for MW 1.20 and get rid of the silly dirname(__FILE__) stuff :) Change-Id: Id9b2c9cd2e678197aa81c78adced5d1d31ff57b1
* Replace deprecated wfMsg* calls with Message class calls.Siebrand Mazeland2012-08-221-4/+4
| | | | | | | Doing this in steps of roughly 100 changes per commit, so that it remains reviewable. Change-Id: Ie349afa5c809c887c787c7c04c49c9dd3478ccac
* Added missing GPLv2 headers in some places.Alexandre Emsenhuber2012-05-231-3/+16
| | | | | | Also made file documentation more consistent. Change-Id: I30e124514396f110a572467b94ca06cefd5f7b46
* Fixed use of undefined FILES_ONLY constant.Aaron2012-04-111-1/+1
| | | | Change-Id: Icc924785cdb394adc723666bf9f6a67e9d6a4d0d
* trunk/phase3 is now mediawiki/corePlatonides2012-03-231-1/+1
| | | | Change-Id: Ief2721ee6573a5e54a276c91de636d9e1a678b8b
* Cleanup a few unused globalsSam Reed2012-02-161-1/+1
| | | | Notes: http://mediawiki.org/wiki/Special:Code/MediaWiki/111612
* w/sMark A. Hershberger2012-02-071-1/+1
| | | | Notes: http://mediawiki.org/wiki/Special:Code/MediaWiki/110843
* * Fix for r81363: instead of giving a PHP notice when PATH_INFO is missing, ↵Tim Starling2012-02-071-0/+4
| | | | | | | | | show the informative error message used before that revision. * Revert the change to the relevant message made in r102612: it is plain text, not wikitext, a format which does not support protocol-relative URLs. Notes: http://mediawiki.org/wiki/Special:Code/MediaWiki/110822
* Merged FileBackend branch. Manually avoiding merging the many prop-only ↵Aaron Schulz2011-12-201-24/+14
| | | | | | | changes SVN likes to sprinkle in (easy to spot from the change list). Did not add SwiftFileBackend.php as it still is in development. Notes: http://mediawiki.org/wiki/Special:Code/MediaWiki/106752
* update all core usage of deprecated Title::userCanRead()Robin Pepermans2011-12-131-2/+2
| | | | Notes: http://mediawiki.org/wiki/Special:Code/MediaWiki/106010
* Reverted r105208 per CRAaron Schulz2011-12-061-4/+4
| | | | Notes: http://mediawiki.org/wiki/Special:Code/MediaWiki/105330
* FU r104216: keep the r103738 regex check for thumbnails but use the parent ↵Aaron Schulz2011-12-051-4/+4
| | | | | | | directory as the source file name. This avoids the assumption that the thumb URL starts with /thumb. Notes: http://mediawiki.org/wiki/Special:Code/MediaWiki/105208
* FU r103738: redid the method of getting the source file name for thumbnails ↵Aaron Schulz2011-11-251-5/+6
| | | | | | | altogether, using suggestion per CR. Notes: http://mediawiki.org/wiki/Special:Code/MediaWiki/104216
* Update img_auth.php and WebRequest code to handle non index.php scripts like ↵Daniel Friesen2011-11-241-2/+7
| | | | | | | | | | img_auth.php better. Also update img_auth.php so it's abuse of $wg variables is done in a way that doesn't let "/*" action paths clobber it's handling. This should theoretically fix bug 32486. Notes: http://mediawiki.org/wiki/Special:Code/MediaWiki/104150
* image_auth.php cleanups:Aaron Schulz2011-11-201-76/+100
| | | | | | | | | * Factored main code into wfImageAuthMain() * Made preg_match() for $name account for "page3-" type specifiers in the thumb name * Code style cleanups Notes: http://mediawiki.org/wiki/Special:Code/MediaWiki/103738
* Fix whitespace, bracesSam Reed2011-10-151-15/+22
| | | | | | | Fix return items Notes: http://mediawiki.org/wiki/Special:Code/MediaWiki/99926
* Move wfStreamFile() into a class, update all callers in core (only 3 ↵Chad Horohoe2011-08-131-2/+1
| | | | | | | | | extensions use it afaict), leave wfStreamFile() as a b/c alias for now. Yay less global functions, autoloading and less manual require()s. Notes: http://mediawiki.org/wiki/Special:Code/MediaWiki/94427
* * (bug 29531) r89628 breaks img_auth.phpSam Reed2011-06-301-1/+1
| | | | | | | Apply Tims strpos -> strrpos fix, confirmed to work by bug reporter Notes: http://mediawiki.org/wiki/Special:Code/MediaWiki/91153
* * Added a REQUEST_URI check to the bug 28235 handling. Tim Starling2011-06-061-5/+11
| | | | | | | | | * Moved most of the bug 28235 code out to a separate library class, since I was running out of distinct function names. * Merged the QUERY_STRING and PATH_INFO security checks, since they are dealing with the exact same problem. Removed WebRequest::isQueryStringBad(). * Deal with img_auth.php by having it specify what extension it expects to be streaming out. This extension can then be compared with the extension that IE might detect. Notes: http://mediawiki.org/wiki/Special:Code/MediaWiki/89558
* * Only blacklist query string extensions which match /^[a-zA-Z0-9_-]+$/. ↵Tim Starling2011-06-011-2/+1
| | | | | | | | | | This avoids blacklisting pretty much every api.php URL with a dot in it, due to extensions like "webm&smaxage=3600&maxage=3600&format=jsonfm" being detected. Such an extension is unlikely to be registered to a dangerous file type. The proposed regex matches all extensions registered in HKEY_CLASSES_ROOT on my Windows XP VM, but does not include the ampersand, so avoids matching multiple URL parameters. * Fixed a logic error in WebRequest::isPathInfoBad() from r88883, which caused dangerous PATH_INFO strings to be allowed as long as QUERY_STRING was set. * Refactored the query string checks in WebRequest and img_auth.php into a single new function: isQueryStringBad(). Notes: http://mediawiki.org/wiki/Special:Code/MediaWiki/89248
* HipHop improvements:Tim Starling2011-05-301-1/+5
| | | | | | | | | | | | | | | | | * Added the ability to compile extensions. The build process is bootstrapped by running MediaWiki in interpreted mode. Extension setup file inclusions are slightly modified in a way that makes them register themselves for compilation. Then the same LocalSettings.php uses the compiled extension setup file when the compiled binary runs. * Tested with Cite and ParserFunctions. The code which lets you have an extensions directory in a place other than $IP/../extensions is untested. * Simplified WebStart.php slightly by using a custom $_SERVER variable to mark compiled mode. It will break if you don't use the supplied server.conf, but that will break a lot of things so don't do that. * Fixed the core web entry points to include WebStart.php in compiled mode instead of interpreted. * Made the build directory configurable. This is mostly so that I can grep the source tree without seeing loads of generated C++. * In server.conf, added a rewrite rule allowing a /wiki/$1 article path. * Removed server.conf log file location "/dev/stdout", breaks when you switch user * Disable static content cache, breaks horribly when you set SourceRoot to a directory containing 7GB of files. * Rewrote the run-server script in PHP, mostly to support the configurable build directory feature. * Added an option to the run-server script to allow running in interpreted (hphpi) mode. Notes: http://mediawiki.org/wiki/Special:Code/MediaWiki/89166
* * Fix for bug 28534: IE 6 content type detection againTim Starling2011-05-051-1/+1
| | | | | | | | * Fix for bug 28639: user object instance cache pollution * Release notes formatting tweak. Notes: http://mediawiki.org/wiki/Special:Code/MediaWiki/87482
* (bug 28507) Fix for r85844: that revision was not actually sufficient to fix ↵Tim Starling2011-04-141-1/+1
| | | | | | | bug 28235, since URLs can have more than one question mark in them. Notes: http://mediawiki.org/wiki/Special:Code/MediaWiki/86027
* Fix for bug 28235: IE6 looks for the file extension in the query stringTim Starling2011-04-121-0/+7
| | | | Notes: http://mediawiki.org/wiki/Special:Code/MediaWiki/85844
* * Remove last bit of code that uses PATH_INFO from img_auth.php so that ↵Mark A. Hershberger2011-02-021-11/+3
| | | | | | | | | people who want to use protected images on hosts with sadly mis-shapen PHPs (e.g. GoDaddy) can. * Mangle PATH_INFO handler in WebRequest so that all the relevant bits are in a (couple of) static functions. Notes: http://mediawiki.org/wiki/Special:Code/MediaWiki/81363
* Whitespace cleanupMark A. Hershberger2011-02-011-7/+7
| | | | Notes: http://mediawiki.org/wiki/Special:Code/MediaWiki/81347
* Follow-up r65652: Do not double-slash the path if it came from PATH_INFOBryan Tong Minh2010-12-121-1/+2
| | | | Notes: http://mediawiki.org/wiki/Special:Code/MediaWiki/78253
* Use WebRequest here tooChad Horohoe2010-08-111-3/+5
| | | | Notes: http://mediawiki.org/wiki/Special:Code/MediaWiki/70873
* allow img_auth.php to use path= in place of PATH_INFO, so it can be used in ↵Daniel Kinzler2010-04-291-4/+7
| | | | | | | CGI mode. Use with RewriteRule ^/w/images/(.*)$ /w/img_auth.php?path=bell-style Notes: http://mediawiki.org/wiki/Special:Code/MediaWiki/65652
* Don't call User::getGroupPermissions() unless $wgImgAuthPublicTest==true. ↵Tim Starling2009-10-141-3/+4
| | | | | | | Efficiency measure suggested by ans-fox. Notes: http://mediawiki.org/wiki/Special:Code/MediaWiki/57699
* Cleaned up img_auth code and re-integrated core img-auth- messages.Jack D. Pond2009-09-101-71/+60
| | | | Notes: http://mediawiki.org/wiki/Special:Code/MediaWiki/56152
* Revert r55800 "bug 19646 Localization of img_auth.php - with enhancements"Brion Vibber2009-09-081-61/+71
| | | | | | | | | The localization code here is really ugly with weird things like call_user_func_array() all over the place, and there are bugs with escaping for log entries and such. Tried to rebuild all the localization files, but rebuildLanguage.php doesn't seem to consider the messages as "unknown". Have removed from English and qqq. Notes: http://mediawiki.org/wiki/Special:Code/MediaWiki/56051
* bug 19646 Localization of img_auth.php - with enhancementsJack D. Pond2009-09-041-71/+61
| | | | | | | | | | | | | https://bugzilla.wikimedia.org/show_bug.cgi?id=19646 1. Localize img_auth.php using core messages 2. Reorder checks to make sense (and eliminate redundancy)n 3. Add hook 'ImgAuthBeforeStream' to allow custom checking 4. Add globals wgImgAuthDetails, 5. Move all "wfDebugLog" into the rejection functions Notes: http://mediawiki.org/wiki/Special:Code/MediaWiki/55800
* (bug 18394) img_auth.php now respects userCanChad Horohoe2009-07-031-0/+4
| | | | Notes: http://mediawiki.org/wiki/Special:Code/MediaWiki/52751
* Same as r48631; added "@file" when needed, also added doc in redirect.php ↵Alexandre Emsenhuber2009-03-211-2/+4
| | | | | | | and install-utils.inc Notes: http://mediawiki.org/wiki/Special:Code/MediaWiki/48658
* Step 2 in NS_IMAGE -> NS_FILE transition (bug 44) (WARNING: huge commit).Ilmari Karonen2008-12-011-1/+1
| | | | | | | This is a global search and replace of NS_IMAGE and NS_IMAGE_TALK with NS_FILE and NS_FILE_TALK respectively in all core files, excluding those already updated in step 1 (r44004). Notes: http://mediawiki.org/wiki/Special:Code/MediaWiki/44121
* Revert "Follow up on r43982. Reduce dirname(__FILE__) calls in core and ↵Andrew Garrett2008-11-301-3/+2
| | | | | | | | | | | | extensions." Uses $dir in extension files, and assumes that it remains unchanged in require_once( 'maintenance/commandLine.inc' ). In fact, it is likely that '$dir' will be set when setting up command-line, as some extensions will use the same var. Recommended fix: Use $CentralAuth_dir, $EmailPage_dir, etc. Notes: http://mediawiki.org/wiki/Special:Code/MediaWiki/44056
* Follow up on r43982. Reduce dirname(__FILE__) calls in core and extensions.Siebrand Mazeland2008-11-261-2/+3
| | | | Notes: http://mediawiki.org/wiki/Special:Code/MediaWiki/43987
* Protect users from attacks against their browsers via malicious ↵Tim Starling2008-11-181-0/+28
| | | | | | | | | | | script-containing uploads, by: 1) Requiring a session token before streaming files out via Special:Undelete 2) Restricting img_auth.php to private wikis only (its intended use case) Notes: http://mediawiki.org/wiki/Special:Code/MediaWiki/43661
* Send Cache-Control: private and Vary headers in img_auth.php. Tim Starling2007-11-031-4/+5
| | | | Notes: http://mediawiki.org/wiki/Special:Code/MediaWiki/27149
* * Fix img_auth.php image name extraction for whitelist checkingRob Church2007-08-061-30/+56
| | | | | | | * (bug 10756) img_auth.php will now refuse logged-out requests when there is no whitelist, rather than allowing them through Notes: http://mediawiki.org/wiki/Special:Code/MediaWiki/24609
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-22 21:47:26 +0000