Page MenuHomePhabricator

img_auth.php Does Not Protect Images if $wgWhitelistRead is Undefined
Closed, ResolvedPublic


Author: nhoeller

img_auth.php fails the image request if all of the conditions in the following statement are true. If any condition is false, then the routine will allow the image to be loaded (unless caught by a later test). Therefore, if $wgWhitelistRead is NOT defined, all image requests are allowed, even for users that are not logged in.

if ( is_array( $wgWhitelistRead ) && !in_array( $imageName, $wgWhitelistRead ) && !$wgUser->getID() ) {

I believe the intent was to only check whether the imagename is in the whitelist if the whitelist exists. The following statement captures this logic:

if ( !( is_array( $wgWhitelistRead ) && in_array( $imageName, $wgWhitelistRead ) ) && !$wgUser->getID() ) {

I ran into this problem with cgi_img_auth.php, which was derived from img_auth.php, but did not include the comments about setting $wgWhitelistRead. Although technically the documentation tells the user to create $wgWhitelistRead, accidentally deleting the whitelist array should not result in images being unprotected.

Version: 1.10.x
Severity: normal



Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 9:49 PM
bzimport set Reference to bz10756.
bzimport added a subscriber: Unknown Object (MLST).