From 1a1f01571e3cf7bf383296866a7b701188041287 Mon Sep 17 00:00:00 2001
From: Gilles Dubuc <gilles@wikimedia.org>
Date: Tue, 9 Apr 2019 17:21:51 +0200
Subject: [PATCH] Add support for X-Swift-Secret to upload stash

This will allow us to treat the request to the temp
container as securely as those on a private wiki.

Bug: T220265
Change-Id: I43a7212481665e05ae23c44ab1788d8988b80a4b
---
 includes/specials/SpecialUploadStash.php | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/includes/specials/SpecialUploadStash.php b/includes/specials/SpecialUploadStash.php
index fe55d9427f..c27069e006 100644
--- a/includes/specials/SpecialUploadStash.php
+++ b/includes/specials/SpecialUploadStash.php
@@ -261,6 +261,15 @@ class SpecialUploadStash extends UnlistedSpecialPage {
 		$scalerThumbUrl = $scalerBaseUrl . '/' . $file->getUrlRel() .
 			'/' . rawurlencode( $scalerThumbName );
 
+		// If a thumb proxy is set up for the repo, we favor that, as that will
+		// keep the request internal
+		$thumbProxyUrl = $file->getRepo()->getThumbProxyUrl();
+
+		if ( strlen( $thumbProxyUrl ) ) {
+			$scalerThumbUrl = $thumbProxyUrl . '/temp/' . $file->getUrlRel() .
+			'/' . rawurlencode( $scalerThumbName );
+		}
+
 		// make an http request based on wgUploadStashScalerBaseUrl to lazy-create
 		// a thumbnail
 		$httpOptions = [
@@ -268,6 +277,14 @@ class SpecialUploadStash extends UnlistedSpecialPage {
 			'timeout' => 5 // T90599 attempt to time out cleanly
 		];
 		$req = MWHttpRequest::factory( $scalerThumbUrl, $httpOptions, __METHOD__ );
+
+		$secret = $file->getRepo()->getThumbProxySecret();
+
+		// Pass a secret key shared with the proxied service if any
+		if ( strlen( $secret ) ) {
+			$req->setHeader( 'X-Swift-Secret', $secret );
+		}
+
 		$status = $req->execute();
 		if ( !$status->isOK() ) {
 			$errors = $status->getErrorsArray();
-- 
2.20.1