Filing as a security bug to be paranoid, but I don't really think its actually that much of a security issue. Worst case is someone could get a version of a deleted file, if they planned ahead before it was deleted.
Example: https://upload.wikimedia.org/wikipedia/test/archive/b/b3/20130709191600!Bawolff-test-del.jpg returns the file, despite https://test.wikipedia.org/w/index.php?title=File:Bawolff-test-del.jpg
It appears that we send HTCP purges for old version thumbnails, but not the actual file asset itself.
Steps to reproduce:
*Upload some file
*Overwrite it with something
*In the file description page, click on the old version of the image, thus loading the full resolution version of the old file (and getting it in varnish cache)
*Delete the file
*The old full resolution link still works as its still in varnish cache.
I'm working on a patch for this, and I'll post it to the bug when done.
Version: 1.22.0
Severity: normal