Manual:画像認証

既定では、すべてのアップロードされた画像（とファイル）はWebサーバーから直接アクセス可能です。 MediaWiki のフレームワーク内で許可された利用者のみにアクセスを許可したい場合、2 つの条件を満たす必要があります:

1. 実際のディレクトリは直接のアクセスから保護され;
2. MediaWikiの認証はそのディレクトリを含むURLが要求されたときにスクリプトの実行によって画像／ファイルへのアクセスがあったときに呼び出される必要があります。

基本的な実装には次の設定が必要です：

1. アップロードディレクトリ（$wgUploadDirectory ）を、ファイルシステム上のWebルートディレクトリの外にするか、保護します。
2. アップロードパス（$wgUploadPath ）をimg_auth.php へのパスに設定します。

両方のメカニズムはWebサーバープラットフォームによって異なります。 ここでは2つのプラットフォームについて詳細な手順を説明します。

1. Apache (ほとんどのバージョン)
2. Microsoft Internet Information Server (IIS), version 6.0 以降

すべての説明において、MediaWiki が "/path/to" にインストールされているとします。

例えば：

http://wiki.example.org/MyWiki

"/path/to" は "/MyWiki"です。

Image authorisation works by routing requests for uploaded media files through the img_auth.php script, instead of allowing the web server to directly send the file to the browser. This is done by setting $wgUploadPath to the location of the img_auth.php script ($wgUploadPath = "$wgScriptPath/img_auth.php";), instead of the upload diectory. This causes MediaWiki to generate file URLs that look something like http://wiki.example.org/w/img_auth.php/01/01/Example.png. When the web server receives a request for such a URL, it will know to call the img_auth.php script and pass it the reremainder of the URL as PATH_INFO. The script will then check whether the user has access to the file given in the PATH_INFO, based on the normal mechanism used for managing access to wiki pages. If img_auth.php determines that the user has access to the requested file, it read the file's content and streams it back to the user, just as if the webserver was serving the file directly from the disk. If however the user does not have access to the file, img_auth.php returns the standard 403 "Access Denied" error.

Before attempting this configuration it is very important you understand how to configure file uploads. Please take a few moments to review and understand this article - it will save you a lot of time.

This requires that your PHP setup support PATH_INFO (many CGI configurations do not) and you need to be in $wgWhitelistRead mode or else, there wouldn't be a point ... unless you just like a more secure MW install. See below.

Even if you don't want to restrict access to your images you might want to make use of the img_auth.php mechanism: to avoid publicly accessible directories, where the web server has write permissions. Though a web server writable directory is not insecure in itself, it is the first half of a successful attack to your web server. The second half then would be some exploitable (php) script, being MW or, most likely, some other script. If the attacker can exploit the broken script to upload or generate another script intended to help him with further attacks/spamming etc, the attacker still needs a place to store that script in, writable by the web server ... and has it available and well known in the images directory of MW standard installations.

# No php execution in the upload area
php_admin_flag engine off

1. login in to a shell of your web server (similar actions are often possible with your FTP client, if not, ask your provider to assist you)
2. create the unguessable images/upload directory outside of (in parallel to) your document root (note the /.. at the end of the path):

   cd </absolute/path/to/your/doc_root>/..
   mkdir <推測できないディレクトリ名>
   

3. make it read/writeable for the web server:

   chgrp <your_web_server_group> <推測できないディレクトリ名>
   chmod 770 <推測できないディレクトリ名>
   

4. create the .htaccess file as noted above and make it readable only (this is paranoia, because the web server never looks here, only PHP not taking care of .ht* files normally, but just in case this directory ever will be made available to the web server directly):

   cd <推測できないディレクトリ名>
   echo 'php_admin_flag engine off' > .htaccess
   chmod 444 .htaccess
   

5. change your LocalSettings.php config file: $wgUploadPath = "$wgScriptPath /img_auth.php"; $wgUploadDirectory = '</absolute/path/to/your/doc_root>/../<推測できないディレクトリ名>'; $wgEnableUploads = true; # We don't wanna restrict access, just make our MW install more secure $wgWhitelistRead = false;

That should do the job for web servers with PHP running as an Apache module. No further Apache config file changes are necessary. You then will never see the path to your images, img_auth.php intercepts all read accesses. But all of your images are served, including thumbs.

Deny from All

Apache Step 2.1. Change $wgUploadPath in LocalSettings.php. This is not needed if Apache step 2.2 is done.

$wgUploadPath = "[/path/to]/img_auth.php";

$wgUploadPath = "/mediawiki/img_auth.php";

Be sure to add a leading slash / if img_auth.php is actually in your root-directory. Images won't be displayed at all if you forget to do so:

$wgUploadPath = "/img_auth.php";

Alias [/path/to]/images/ [/path/to]/img_auth.php/
Alias [/path/to]/images [/path/to]/img_auth.php

When PATH_INFO is not available download the CGI-supporting image authorization script. Save script under the name cgi_img_auth.php in your MediaWiki directory.

Deny from All

Apache Step 3.1. Change $wgUploadPath in LocalSettings.php

$wgUploadPath = "[/path/to]/cgi_img_auth.php";

RewriteEngine on
RewriteRule ^/path/to/images(.*)$ /path/to/cgi_img_auth.php/$1 [R]
RewriteRule ^path/to/cgi_img_auth.php/(.*)$ path/to/cgi_img_auth.php?path=/$1

RewriteCond %{REQUEST_URI} /img_auth\.php/
RewriteRule ^ - [L]

RewriteEngine On
# First condition&rule:
RewriteCond %{REQUEST_URI} /img_auth\.php/
RewriteRule ^ - [L]
# Rest of rules:
RewriteCond ...
RewriteRule ...

        <Directory /var/www/wiki/images>
                Options -Indexes
        </Directory>

Implementation in IIS is more complex because it lacks the inherent 'pipe' capabilities of Apache or Unix in general. However using a few tricks, IIS can be made to execute the CGI and achieve protection.

With IIS it is important that users cannot access images or files by using alternative URL paths to the bypass the virtual directory redirect. Therefore, a new directory outside the MediaWiki root must be created.

Create a new physical directory. This directory should not be inside any other existing web directories or virtual web directories:

例:

c:\inetpub\wwwroot\MyWikiImg

The Directory security must allow read, write, modify for the Internet Guest Account (usually IUSR_[server name]). Don't worry, you're going to regulate this in subsequent steps.

Still in IIS Manager, right click on the new virtual directory->Properties select the 'Virtual Directory' tab and change the 'The content for this resource should come from:' to 'A redirection to a URL'. Fill in the 'Redirect To:' with the URL to img_auth in your MediaWiki.

例:

http://wiki.example.org/MyWiki/img_auth.php

Copy the contents of the old images directory ($ip/image) and subdirectories into the new directory you created. Note: The image directory will not exist in the new directory. The new directory should not appear as:

MyWikiImg
  images
    0
    1
    . . .

MyWikiImg
  0
  1
  . . .

IIS Step 4.1 Change $wgUploadPath in LocalSettings.php

$wgUploadPath = "[NewVirtualDirPath]";

例:

$wgUploadPath = "/MyWikiImg";

IIS Step 4.2 Change $wgUploadDirectory in LocalSettings.php

$wgUploadDirectory = "[NewVirtualDirImages]";

例:

$wgUploadDirectory = "D:\Inetpub\wwwroot\MyWikiImg";

There have been several articles and hints that some versions of IIS may disallow the server variables PATH_INFO and PATH_TRANSLATE 'for security reasons'. While we did not have this problem on the current server and patch level (IIS 6.0) it is a noted issue for IIS 4.0 (and possibly prior), you may want to investigate if img_auth.php is not working for you.

The full knowledgebase article may be found at Using PATH_INFO and PATH_TRANSLATED from CGI Applications. The article instructs you on how to run a program written in MS Visual Basic (you may need to load CScript).