From 240f789c892694cc92c896b87c98458581494149 Mon Sep 17 00:00:00 2001
From: Bryan Davis <bd808@wikimedia.org>
Date: Wed, 27 Jan 2016 17:53:54 -0700
Subject: [PATCH] Log user-agents that are using HTTP when HTTPS is preferred

Log a feature usage message and add a warning to the response when an
API request is made over unencrypted HTTP and the wiki or user has asked
that HTTPS be used by default.

Bug: T105794
Change-Id: I339bfa96614c6318db303bb22a8f86bd0336ddbe
---
 includes/api/ApiMain.php | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php
index 6ddc28af21..458fd18ffa 100644
--- a/includes/api/ApiMain.php
+++ b/includes/api/ApiMain.php
@@ -1231,7 +1231,8 @@ class ApiMain extends ApiBase {
 	 * @param array $params An array with the request parameters
 	 */
 	protected function setupExternalResponse( $module, $params ) {
-		if ( !$this->getRequest()->wasPosted() && $module->mustBePosted() ) {
+		$request = $this->getRequest();
+		if ( !$request->wasPosted() && $module->mustBePosted() ) {
 			// Module requires POST. GET request might still be allowed
 			// if $wgDebugApi is true, otherwise fail.
 			$this->dieUsageMsgOrDebug( array( 'mustbeposted', $this->mAction ) );
@@ -1243,6 +1244,15 @@ class ApiMain extends ApiBase {
 			// Create an appropriate printer
 			$this->mPrinter = $this->createPrinterByName( $params['format'] );
 		}
+
+		if ( $request->getProtocol() === 'http' && (
+			$request->getSession()->shouldForceHTTPS() ||
+			( $this->getUser()->isLoggedIn() &&
+				$this->getUser()->requiresHTTPS() )
+		) ) {
+			$this->logFeatureUsage( 'https-expected' );
+			$this->setWarning( 'HTTP used when HTTPS was expected' );
+		}
 	}
 
 	/**
-- 
2.20.1