Author: paprots
Description:
If somebody is using img_auth, then they very likely are using userCan hook. Just needs one line addition (sorry for not providing the patch as attachment):
if (!$title->userCanRead()) wfForbidden();
AFTER:
$title = Title::makeTitleSafe( NS_FILE, $name );
if( !$title instanceof Title ) {
wfDebugLog( 'img_auth', "Unable to construct a valid Title from {$name}" );
wfForbidden();
}
Version: 1.14.x
Severity: enhancement