From 00b7f76aaf2037cbb084b4f80b5ec3c9e2a7a88a Mon Sep 17 00:00:00 2001 From: Kevin Israel Date: Thu, 20 Mar 2014 21:19:08 -0400 Subject: [PATCH] Remove $wgHttpOnlyBlacklist This hack was added in r34083 / 6b16f4410897 to support IE for Mac. That browser is no longer supported, and no additional user-agent strings have been added in WMF configuration. Change-Id: Iffba121a9964e2ad387fad8827ddfd8dabcbd12e --- RELEASE-NOTES-1.23 | 1 + includes/DefaultSettings.php | 11 ----------- includes/GlobalFunctions.php | 23 +++-------------------- includes/WebResponse.php | 6 ------ 4 files changed, 4 insertions(+), 37 deletions(-) diff --git a/RELEASE-NOTES-1.23 b/RELEASE-NOTES-1.23 index 340aa505a4..9633edd49b 100644 --- a/RELEASE-NOTES-1.23 +++ b/RELEASE-NOTES-1.23 @@ -50,6 +50,7 @@ production. prepended to the start of this array. * $wgQueryPages has been removed. Query Pages should be added to by using the wgQueryPages hook. +* $wgHttpOnlyBlacklist has been removed. === New features in 1.23 === * ResourceLoader can utilize the Web Storage API to cache modules client-side. diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index c6ebb35ad2..3c4ef50983 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -4870,17 +4870,6 @@ $wgCookiePrefix = false; */ $wgCookieHttpOnly = true; -/** - * If the requesting browser matches a regex in this blacklist, we won't - * send it cookies with HttpOnly mode, even if $wgCookieHttpOnly is on. - */ -$wgHttpOnlyBlacklist = array( - // Internet Explorer for Mac; sometimes the cookies work, sometimes - // they don't. It's difficult to predict, as combinations of path - // and expiration options affect its parsing. - '/^Mozilla\/4\.0 \(compatible; MSIE \d+\.\d+; Mac_PowerPC\)/', -); - /** * A list of cookies that vary the cache (for use by extensions) */ diff --git a/includes/GlobalFunctions.php b/includes/GlobalFunctions.php index a6f936fa6d..61d1a70f19 100644 --- a/includes/GlobalFunctions.php +++ b/includes/GlobalFunctions.php @@ -3443,23 +3443,6 @@ function wfBaseConvert( $input, $sourceBase, $destBase, $pad = 1, return str_pad( $result, $pad, '0', STR_PAD_LEFT ); } -/** - * @return bool - */ -function wfHttpOnlySafe() { - global $wgHttpOnlyBlacklist; - - if ( isset( $_SERVER['HTTP_USER_AGENT'] ) ) { - foreach ( $wgHttpOnlyBlacklist as $regex ) { - if ( preg_match( $regex, $_SERVER['HTTP_USER_AGENT'] ) ) { - return false; - } - } - } - - return true; -} - /** * Check if there is sufficient entropy in php's built-in session generation * @return bool true = there is sufficient entropy @@ -3532,7 +3515,6 @@ function wfSetupSession( $sessionId = false ) { # hasn't already been set to the desired value (that causes errors) ini_set( 'session.save_handler', $wgSessionHandler ); } - $httpOnlySafe = wfHttpOnlySafe() && $wgCookieHttpOnly; wfDebugLog( 'cookie', 'session_set_cookie_params: "' . implode( '", "', array( @@ -3540,8 +3522,9 @@ function wfSetupSession( $sessionId = false ) { $wgCookiePath, $wgCookieDomain, $wgCookieSecure, - $httpOnlySafe ) ) . '"' ); - session_set_cookie_params( 0, $wgCookiePath, $wgCookieDomain, $wgCookieSecure, $httpOnlySafe ); + $wgCookieHttpOnly ) ) . '"' ); + session_set_cookie_params( + 0, $wgCookiePath, $wgCookieDomain, $wgCookieSecure, $wgCookieHttpOnly ); session_cache_limiter( 'private, must-revalidate' ); if ( $sessionId ) { session_id( $sessionId ); diff --git a/includes/WebResponse.php b/includes/WebResponse.php index ab7524c22e..a3dadd088a 100644 --- a/includes/WebResponse.php +++ b/includes/WebResponse.php @@ -88,12 +88,6 @@ class WebResponse { $expire = time() + $wgCookieExpiration; } - // Don't mark the cookie as httpOnly if the requesting user-agent is - // known to have trouble with httpOnly cookies. - if ( !wfHttpOnlySafe() ) { - $options['httpOnly'] = false; - } - $func = $options['raw'] ? 'setrawcookie' : 'setcookie'; if ( wfRunHooks( 'WebResponseSetCookie', array( &$name, &$value, &$expire, $options ) ) ) { -- 2.20.1