Page MenuHomePhabricator

img_auth.php should use userCan
Closed, ResolvedPublic

Description

Author: paprots

Description:
If somebody is using img_auth, then they very likely are using userCan hook. Just needs one line addition (sorry for not providing the patch as attachment):

if (!$title->userCanRead()) wfForbidden();

AFTER:

$title = Title::makeTitleSafe( NS_FILE, $name );
if( !$title instanceof Title ) {
wfDebugLog( 'img_auth', "Unable to construct a valid Title from {$name}" );
wfForbidden();
}


Version: 1.14.x
Severity: enhancement

Details

Reference
bz18394

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 10:32 PM
bzimport set Reference to bz18394.
bzimport added a subscriber: Unknown Object (MLST).
demon added a comment.Jul 3 2009, 8:06 PM

Fixed in r52751