X-Git-Url: http://git.cyclocoop.org/%7B%24admin_url%7Dmembres/cotisations/gestion/rappel_supprimer.php?a=blobdiff_plain;f=includes%2Fapi%2FApiMain.php;h=8878729abb7e2b9d46e580d5f5a751adce4e27d2;hb=66e0757587607050e43a195a2278615a4db5fc32;hp=278341d76d63a7cf24c3071e2b29f1a3e67278d1;hpb=455beb2407e06289cffd962ad03b9d7f53e93c03;p=lhc%2Fweb%2Fwiklou.git diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php index 278341d76d..8878729abb 100644 --- a/includes/api/ApiMain.php +++ b/includes/api/ApiMain.php @@ -174,22 +174,53 @@ class ApiMain extends ApiBase { if ( isset( $request ) ) { $this->getContext()->setRequest( $request ); + } else { + $request = $this->getRequest(); } - $this->mInternalMode = ( $this->getRequest() instanceof FauxRequest ); + $this->mInternalMode = ( $request instanceof FauxRequest ); // Special handling for the main module: $parent === $this parent::__construct( $this, $this->mInternalMode ? 'main_int' : 'main' ); + $config = $this->getConfig(); + if ( !$this->mInternalMode ) { - // Impose module restrictions. - // If the current user cannot read, - // Remove all modules other than login - global $wgUser; + // Log if a request with a non-whitelisted Origin header is seen + // with session cookies. + $originHeader = $request->getHeader( 'Origin' ); + if ( $originHeader === false ) { + $origins = []; + } else { + $originHeader = trim( $originHeader ); + $origins = preg_split( '/\s+/', $originHeader ); + } + $sessionCookies = array_intersect( + array_keys( $_COOKIE ), + MediaWiki\Session\SessionManager::singleton()->getVaryCookies() + ); + if ( $origins && $sessionCookies && ( + count( $origins ) !== 1 || !self::matchOrigin( + $origins[0], + $config->get( 'CrossSiteAJAXdomains' ), + $config->get( 'CrossSiteAJAXdomainExceptions' ) + ) + ) ) { + MediaWiki\Logger\LoggerFactory::getInstance( 'cors' )->warning( + 'Non-whitelisted CORS request with session cookies', [ + 'origin' => $originHeader, + 'cookies' => $sessionCookies, + 'ip' => $request->getIP(), + 'userAgent' => $this->getUserAgent(), + 'wiki' => wfWikiID(), + ] + ); + } + // If we're in a mode that breaks the same-origin policy, strip + // user credentials for security. if ( $this->lacksSameOriginSecurity() ) { - // If we're in a mode that breaks the same-origin policy, strip - // user credentials for security. + global $wgUser; wfDebug( "API: stripping user credentials when the same-origin policy is not applied\n" ); $wgUser = new User(); $this->getContext()->setUser( $wgUser ); @@ -214,7 +245,6 @@ class ApiMain extends ApiBase { } } - $config = $this->getConfig(); $this->mModuleMgr = new ApiModuleManager( $this ); $this->mModuleMgr->addModules( self::$Modules, 'action' ); $this->mModuleMgr->addModules( $config->get( 'APIModules' ), 'action' );