[Mediawiki-l] Image Directory Security using cgi_img_auth.php
Norbert Hoeller
nhoeller at sinet.ca
Mon May 21 12:56:06 UTC 2007
I am running MediaWiki 1.10.0 on a shared hosting server with PHP 5.2.1
(cgi). I have restricted read/create/edit access to logged-in users only.
'$wgHashedUploadDirectory = true;' was defined in LocalSettings.php. To
block access from a non-Wiki user who figures out the path/filename of an
uploaded file, I have been following the directions in
http://www.mediawiki.org/wiki/Manual:Image_Authorisation.
MediaWki is installed in a '/MyWiki' subdirectory. Steps completed so
far:
* created a .htaccess file in '/MyWiki/images' containing 'Deny from All
* tested access to an existing file in '/MyWiki/images/f/f2/Fields.png'
and received: 'Error 403 - Forbidden: You tried to access a document for
which you don't have privileges.'
* downloaded CGI-supporting image authorization script, renamed it as
'cgi-img_auth.php' and installed it in '/MyWiki'
* added '$wgUploadPath = "/MyWiki/cgi_img_auth.php";' to
'Localsettings.php'
* added the following lines to .htaccess in '/MyWiki':
RewriteEngine on
RewriteBase /
RewriteRule ^cgi_img_auth.php(.*)$
cgi_img_auth.php?path=/$1
The instructions called for adding the following lines:
RewriteEngine on
RewriteRule ^/path/to/images(.*)$
/path/to/cgi_img_auth.php/$1 [R]
RewriteRule ^path/to/cgi_img_auth.php/(.*)$
path/to/cgi_img_auth.php?path=/$1
I suspect that these RewriteRules assumed that the .htaccess file was in
the root directory of the server, rather than in the Wiki directory. Since
I wanted to limit the scope of the change to the Wiki directory, I removed
the Wiki directory path (that appears to be stripped off by Apache). I
also had to add the 'RewriteBase /' statement, probably because I am on a
shared server.
Question 1: what is the purpose of the first RewriteRule in the
instructions? The $wgUploadPath statement should cause MediaWiki to send
all image requests to 'cgi_img_auth.php', which the second RewriteRule
fixes up to have the right syntax. Any requests outside of the Wiki to
the image directory itself should fail due to the 'Deny from All'
statement. Are there cases where MediaWiki tries to access an image
through the Apache server?
I found that 'cgi_img_auth.php' was not preventing access to images if the
user was logged out. In other words, direct access to '
http://.../MyWiki/cgi_img_auth.php/f/f2/Fields.png' worked. I think the
problem occurred because I did not have a $wgWhitelistRead array defined,
causing the first test to fail and bypassing the login check.
if ( is_array( $wgWhitelistRead ) && !in_array( $imageName,
$wgWhitelistRead ) && !$wgUser->getID() ) {
wfDebugLog( 'img_auth', "not logged in and requested file
not in whitelist: $imageName" );
I changed the test to read:
if ( !( is_array( $wgWhitelistRead ) && in_array( $imageName,
$wgWhitelistRead ) ) && !$wgUser->getID() ) {
Does this make sense? I have not had a chance to verify that the
$wgWhitelistRead override works.
Thanks, Norbert
More information about the MediaWiki-l
mailing list