img_auth.php Does Not Protect Images if $wgWhitelistRead is Undefined
Closed, ResolvedPublic
Actions

Assigned To

None

Authored By

	• bzimport
	Jul 30 2007, 6:56 PM

Description

Author: nhoeller

Description:
img_auth.php fails the image request if all of the conditions in the following statement are true. If any condition is false, then the routine will allow the image to be loaded (unless caught by a later test). Therefore, if $wgWhitelistRead is NOT defined, all image requests are allowed, even for users that are not logged in.

if ( is_array( $wgWhitelistRead ) && !in_array( $imageName, $wgWhitelistRead ) && !$wgUser->getID() ) {

I believe the intent was to only check whether the imagename is in the whitelist if the whitelist exists. The following statement captures this logic:

if ( !( is_array( $wgWhitelistRead ) && in_array( $imageName, $wgWhitelistRead ) ) && !$wgUser->getID() ) {

I ran into this problem with cgi_img_auth.php, which was derived from img_auth.php, but did not include the comments about setting $wgWhitelistRead. Although technically the documentation tells the user to create $wgWhitelistRead, accidentally deleting the whitelist array should not result in images being unprotected.

Version: 1.10.x
Severity: normal

Details

Reference: bz10756

Event Timeline

• bzimport raised the priority of this task from to Medium.Nov 21 2014, 9:49 PM

• bzimport added a project: MediaWiki-File-management.

• bzimport set Reference to bz10756.

• bzimport added a subscriber: Unknown Object (MLST).

• bzimport created this task.Jul 30 2007, 6:56 PM

robchur wrote:

Fixed in r24609.

• Gilles added a project: Multimedia.Dec 4 2014, 10:45 AM

• Gilles moved this task from Untriaged to Done on the Multimedia board.

img_auth.php Does Not Protect Images if $wgWhitelistRead is UndefinedClosed, ResolvedPublicActions

Description

Details

Event Timeline

img_auth.php Does Not Protect Images if $wgWhitelistRead is Undefined
Closed, ResolvedPublic
Actions