Last modified: 2010-05-15 15:52:03 UTC
img_auth.php fails the image request if all of the conditions in the following statement are true. If any condition is false, then the routine will allow the image to be loaded (unless caught by a later test). Therefore, if $wgWhitelistRead is NOT defined, all image requests are allowed, even for users that are not logged in. if ( is_array( $wgWhitelistRead ) && !in_array( $imageName, $wgWhitelistRead ) && !$wgUser->getID() ) { I believe the intent was to only check whether the imagename is in the whitelist if the whitelist exists. The following statement captures this logic: if ( !( is_array( $wgWhitelistRead ) && in_array( $imageName, $wgWhitelistRead ) ) && !$wgUser->getID() ) { I ran into this problem with cgi_img_auth.php, which was derived from img_auth.php, but did not include the comments about setting $wgWhitelistRead. Although technically the documentation tells the user to create $wgWhitelistRead, accidentally deleting the whitelist array should not result in images being unprotected.
Fixed in r24609.