From: Brad Jorsch Date: Sun, 31 Jan 2016 20:43:00 +0000 (-0500) Subject: SECURITY: RawAction: Vary on the usual headers X-Git-Tag: 1.31.0-rc.0~6884 X-Git-Url: http://git.cyclocoop.org/%24dirpuce/puce%24spip_lang_rtl.gif?a=commitdiff_plain;h=af3b10287e4b4de8360ea57c400c7b8ed71596a1;p=lhc%2Fweb%2Fwiklou.git SECURITY: RawAction: Vary on the usual headers This avoids edge cases where the user isn't logged in but we still need varying for proper cache behavior. Bug: T125283 Change-Id: I43cde3a48371e62a16bda1291b1b51986e60fe4c Signed-off-by: Chad Horohoe --- diff --git a/includes/OutputPage.php b/includes/OutputPage.php index 67e9a4ff82..d8600c1ef5 100644 --- a/includes/OutputPage.php +++ b/includes/OutputPage.php @@ -2026,6 +2026,11 @@ class OutputPage extends ContextSource { * @return string */ public function getVaryHeader() { + // If we vary on cookies, let's make sure it's always included here too. + if ( $this->getCacheVaryCookies() ) { + $this->addVaryHeader( 'Cookie' ); + } + foreach ( SessionManager::singleton()->getVaryHeaders() as $header => $options ) { $this->addVaryHeader( $header, $options ); } diff --git a/includes/actions/RawAction.php b/includes/actions/RawAction.php index c7b18a4ba1..5bf24f60e6 100644 --- a/includes/actions/RawAction.php +++ b/includes/actions/RawAction.php @@ -80,6 +80,12 @@ class RawAction extends FormlessAction { } } + // Set standard Vary headers so cache varies on cookies and such (T125283) + $response->header( $this->getOutput()->getVaryHeader() ); + if ( $config->get( 'UseKeyHeader' ) ) { + $response->header( $this->getOutput()->getKeyHeader() ); + } + $response->header( 'Content-type: ' . $contentType . '; charset=UTF-8' ); // Output may contain user-specific data; // vary generated content for open sessions on private wikis