]> scripts.mit.edu Git - autoinstallsdev/mediawiki.git/blobdiff - img_auth.php
scripts.mit.edu / autoinstallsdev / mediawiki.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
MediaWiki 1.16.3
[autoinstallsdev/mediawiki.git] / img_auth.php
diff --git a/img_auth.php b/img_auth.php
index bc4464d4cc151136e397591328e3d7fe8b03c42d..534d1fd2ec01fbc60b3d657f9c3efb595ef86a02 100644 (file)
--- a/img_auth.php
+++ b/img_auth.php
@@ -37,6 +37,13 @@ if ( $wgImgAuthPublicTest
        wfForbidden('img-auth-accessdenied','img-auth-public');
 }
 
+// Check for bug 28235: QUERY_STRING overriding the correct extension
+if ( isset( $_SERVER['QUERY_STRING'] )
+       && preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) )
+{
+       wfForbidden( 'img-auth-accessdenied', 'img-auth-bad-query-string' );
+}
+
 // Extract path and image information
 if( !isset( $_SERVER['PATH_INFO'] ) )
        wfForbidden('img-auth-accessdenied','img-auth-nopathinfo');
MediaWiki autoinstaller for scripts.mit.edu