[Mediawiki-l] Image Directory Security using cgi_img_auth.php

Norbert Hoeller nhoeller at sinet.ca
Mon May 21 12:56:06 UTC 2007

I am running MediaWiki 1.10.0 on a shared hosting server with PHP 5.2.1 
(cgi).  I have restricted read/create/edit access to logged-in users only. 
 '$wgHashedUploadDirectory = true;' was defined in LocalSettings.php.  To 
block access from a non-Wiki user who figures out the path/filename of an 
uploaded file, I have been following the directions in 

MediaWki is installed in a '/MyWiki' subdirectory.  Steps completed so 
 * created a .htaccess file in '/MyWiki/images' containing 'Deny from All
 * tested access to an existing file in '/MyWiki/images/f/f2/Fields.png' 
and received: 'Error 403 - Forbidden: You tried to access a document for 
which you don't have privileges.'
 * downloaded CGI-supporting image authorization script, renamed it as 
'cgi-img_auth.php' and installed it in '/MyWiki'
 * added '$wgUploadPath = "/MyWiki/cgi_img_auth.php";' to 
 * added the following lines to .htaccess in '/MyWiki':
                RewriteEngine on
                RewriteBase /
                RewriteRule ^cgi_img_auth.php(.*)$ 

The instructions called for adding the following lines:
                RewriteEngine on
                RewriteRule ^/path/to/images(.*)$ 
/path/to/cgi_img_auth.php/$1 [R]
                RewriteRule ^path/to/cgi_img_auth.php/(.*)$ 
I suspect that these RewriteRules assumed that the .htaccess file was in 
the root directory of the server, rather than in the Wiki directory. Since 
I wanted to limit the scope of the change to the Wiki directory, I removed 
the Wiki directory path (that appears to be stripped off by Apache).  I 
also had to add the 'RewriteBase /' statement, probably because I am on a 
shared server.

Question 1: what is the purpose of the first RewriteRule in the 
instructions?  The $wgUploadPath statement should cause MediaWiki to send 
all image requests to 'cgi_img_auth.php', which the second RewriteRule 
fixes up to have the right syntax.  Any requests outside of the Wiki to 
the image directory itself should fail due to the 'Deny from All' 
statement.  Are there cases where MediaWiki tries to access an image 
through the Apache server?

I found that 'cgi_img_auth.php' was not preventing access to images if the 
user was logged out.  In other words, direct access to '
http://.../MyWiki/cgi_img_auth.php/f/f2/Fields.png' worked.  I think the 
problem occurred because I did not have a $wgWhitelistRead array defined, 
causing the first test to fail and bypassing the login check.
        if ( is_array( $wgWhitelistRead ) && !in_array( $imageName, 
$wgWhitelistRead ) && !$wgUser->getID() ) {
                wfDebugLog( 'img_auth', "not logged in and requested file 
not in whitelist: $imageName" ); 
I changed the test to read:
        if ( !( is_array( $wgWhitelistRead ) && in_array( $imageName, 
$wgWhitelistRead ) ) && !$wgUser->getID() ) {

Does this make sense?  I have not had a chance to verify that the 
$wgWhitelistRead override works. 
        Thanks, Norbert


More information about the MediaWiki-l mailing list