SECURITY: Don't cache when a call could autocreate

Fixes for action=raw (used when sites include other site's javascript),
and stashed images.

Bug: 53032
Change-Id: I8f915f6a4756f750c74d9ee9bec58f7ba6c0c827

diff --git a/includes/actions/RawAction.php b/includes/actions/RawAction.php
index 1a451b7..a0116fb 100644 (file)
--- a/includes/actions/RawAction.php
+++ b/includes/actions/RawAction.php
@@ -94,6 +94,9 @@ class RawAction extends FormlessAction {
                # Output may contain user-specific data;
                # vary generated content for open sessions on private wikis
                $privateCache = !User::isEveryoneAllowed( 'read' ) && ( $smaxage == 0 || session_id() != '' );
+               // Bug 53032 - make this private if user is logged in,
+               // so we don't accidentally cache cookies
+               $privateCache = $privateCache ?: $this->getUser()->isLoggedIn();
                # allow the client to cache this for 24 hours
                $mode = $privateCache ? 'private' : 'public';
                $response->header(

diff --git a/includes/specials/SpecialUploadStash.php b/includes/specials/SpecialUploadStash.php
index 87b6442..1373df1 100644 (file)
--- a/includes/specials/SpecialUploadStash.php
+++ b/includes/specials/SpecialUploadStash.php
@@ -308,6 +308,8 @@ class SpecialUploadStash extends UnlistedSpecialPage {
                header( "Content-Type: $contentType", true );
                header( 'Content-Transfer-Encoding: binary', true );
                header( 'Expires: Sun, 17-Jan-2038 19:14:07 GMT', true );
+               // Bug 53032 - It shouldn't be a problem here, but let's be safe and not cache
+               header( 'Cache-Control: private' );
                header( "Content-Length: $size", true );
        }