I wanted to highlight a potential flaw in the extension code. Specifically, there's an issue with how files are accessed, which fails in wikis with private configurations or those using img_auth.php.
However, this approach doesn't work when img_auth.php is used, as direct URL access is restricted, and proper authentication processes are not followed in the code, leading to failed retrievals.
For environments where file access is regulated through img_auth.php, the method getLocalRefPath() should be considered for use, since it obtains files from the local path, avoiding unauthorized access issues.
Could this be adjusted to accommodate private or restricted-access wikis?
samwilson
commented
11 months ago
I wanted to highlight a potential flaw in the extension code. Specifically, there's an issue with how files are accessed, which fails in wikis with private configurations or those using
img_auth.php.In the current implementation, the file retrieval method assumes direct access to the file's URL: https://github.com/samwilson/diagrams-extension/blob/7b3507656fda98b56840ba8f295d6dc8684576b3/includes/Diagrams.php#L137
However, this approach doesn't work when
img_auth.phpis used, as direct URL access is restricted, and proper authentication processes are not followed in the code, leading to failed retrievals.For environments where file access is regulated through img_auth.php, the method
getLocalRefPath()should be considered for use, since it obtains files from the local path, avoiding unauthorized access issues.Could this be adjusted to accommodate private or restricted-access wikis?