Page MenuHomePhabricator
Create Task
Maniphest T20394

img_auth.php should use userCan
Closed, ResolvedPublic
Actions

Description

Author: paprots

Description:
If somebody is using img_auth, then they very likely are using userCan hook. Just needs one line addition (sorry for not providing the patch as attachment):

if (!$title->userCanRead()) wfForbidden();

AFTER:

$title = Title::makeTitleSafe( NS_FILE, $name );
if( !$title instanceof Title ) {
wfDebugLog( 'img_auth', "Unable to construct a valid Title from {$name}" );
wfForbidden();
}

Version: 1.14.x
Severity: enhancement

Details

Reference
bz18394

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 10:32 PM
bzimport added a project: MediaWiki-Page-protection.
bzimport set Reference to bz18394.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Apr 7 2009, 11:01 PM
demon added a comment.Jul 3 2009, 8:06 PM

Fixed in r52751

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL