Page MenuHomePhabricator
Create Task
Maniphest T36231

Make thumb.php error or redirect for urls with bogus paths but valid file & thumb names
Closed, ResolvedPublic
Actions

Description

From IRC:
[11:28] AaronSchulz domas: https://upload.wikimedia.org/wikipedia/commons/thumb/x/xx/Little_kitten_.jpg/799px-Little_kittenajsdhfa_.jpg
[11:28] AaronSchulz hehe, file deletion won't purge that I bet
[11:28] AaronSchulz it sends the purge URLs based on the actual relative path, not that fake one I posted with fake hash dirs
[11:29] AaronSchulz one could upload pr0n and hotlink to thumbs for days without them going away even if the source file was deleted

thumb.php should redirect or give an error in such cases.

Version: 1.20.x
Severity: normal

Details

Reference
bz34231

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 12:13 AM
bzimport added projects: MediaWiki-File-management, platformeng.
bzimport set Reference to bz34231.
aaron created this task.Feb 6 2012, 7:36 PM
aaron added a comment.Feb 9 2012, 7:45 PM

Fixed thumb.php in r111076. Since WMF still uses thumb-handler.php, the fix has no effect in that case.

RobLa-WMF added a comment.Feb 10 2012, 7:37 PM

Ben, this one is now solely dependent on eliminating ms5 from the thumbnail path, so I'm assigning it to you.

aaron added a comment.Feb 10 2012, 7:47 PM

I need to make the tiff/ogg extensions use the ExtractThumbParameters hook in thumb.php as well before we can start using its 404 handling.

aaron added a comment.Feb 10 2012, 8:53 PM

(In reply to comment #3)

I need to make the tiff/ogg extensions use the ExtractThumbParameters hook in
thumb.php as well before we can start using its 404 handling.

Done in r111199.

aaron added a comment.Jun 22 2012, 6:48 PM

To switch over:
a) 404 handling must be enabled on the scalars to rewrite to thumb_handler.php
b) rewrite.py change to use the scalars directly on 404
c) thumb-handler.php on nginx server could eventually be disabled, though that's not required for this bug

aaron added a comment.Aug 2 2012, 10:50 PM

The new handler has been deployed already.

Gilles raised the priority of this task from Medium to Unbreak Now!.Dec 4 2014, 10:25 AM
Gilles added a project: Multimedia.
Gilles moved this task from Untriaged to Done on the Multimedia board.
Gilles lowered the priority of this task from Unbreak Now! to Medium.Dec 4 2014, 11:21 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL