[Mediawiki-l] MediaWiki security release 1.16.4

Sullivan, James (NIH/CIT) [C] sullivan at mail.nih.gov
Fri Apr 15 13:30:05 UTC 2011

I employ the "cgi_img_auth.php" method of securing the images directory.  I believe the "image_auth.php" method is similar.  With this method a .htaccess is placed in the /images directory containing "Deny from All".  Another .htaccess in the wiki's main directory contains a rewrite rule that takes any requests for access to the images directory and re-routes it through the cgi_img_auth.php code, which verifies authentication before allowing access to the images directory.  This prevents unauthenticated users from directly accessing the images files, for example with a direct url to the image file.  

Its not clear to me that with this in place I need to also add the rewrite rule in the images directory, but if this is still needed, where would I place it?


-----Original Message-----
From: Tim Starling [mailto:tstarling at wikimedia.org] 
Sent: Thursday, April 14, 2011 11:56 PM
To: mediawiki-l at lists.wikimedia.org
Subject: Re: [Mediawiki-l] MediaWiki security release 1.16.4

On 15/04/11 13:44, jidanni at jidanni.org wrote:
> Do mention if MW 1.17 or 1.18 sysops need to worry about any of this.

Yes, the same issue existed in 1.17 and trunk before the release date.

-- Tim Starling

MediaWiki-l mailing list
MediaWiki-l at lists.wikimedia.org

More information about the MediaWiki-l mailing list