From: Brad Jorsch Date: Tue, 8 Mar 2016 17:46:05 +0000 (-0500) Subject: Use header_register_callback to avoid caching responses with Set-Cookie headers X-Git-Tag: 1.31.0-rc.0~7691^2 X-Git-Url: https://git.cyclocoop.org/%7B%24www_url%7Dadmin/compta/comptes/ajouter.php?a=commitdiff_plain;h=b84fae0173b235418eb59f0a3911262066d524ff;p=lhc%2Fweb%2Fwiklou.git Use header_register_callback to avoid caching responses with Set-Cookie headers This change mirrors logic that has been in use on the Wikimedia Foundation production cluster's Varnish cache system for over 2 years to guard against accidentally caching backend responses which include Set-Cookie headers. Bug: T127993 Change-Id: Ic79cf6c959dd870d6458874a9bffe9e25aba4919 --- diff --git a/includes/Setup.php b/includes/Setup.php index f92c8c239b..f26d789496 100644 --- a/includes/Setup.php +++ b/includes/Setup.php @@ -536,6 +536,35 @@ if ( !class_exists( 'AutoLoader' ) ) { require_once "$IP/includes/AutoLoader.php"; } +// Install a header callback to prevent caching of responses with cookies (T127993) +if ( !$wgCommandLineMode ) { + header_register_callback( function () { + $headers = []; + foreach ( headers_list() as $header ) { + list( $name, $value ) = explode( ':', $header, 2 ); + $headers[strtolower( trim( $name ) )][] = trim( $value ); + } + + if ( isset( $headers['set-cookie'] ) ) { + $cacheControl = isset( $headers['cache-control'] ) + ? implode( ', ', $headers['cache-control'] ) + : ''; + + if ( !preg_match( '/(?:^|,)\s*(?:private|no-cache|no-store)\s*(?:$|,)/i', $cacheControl ) ) { + header( 'Expires: Thu, 01 Jan 1970 00:00:00 GMT' ); + header( 'Cache-Control: private, max-age=0, s-maxage=0' ); + MediaWiki\Logger\LoggerFactory::getInstance( 'cache-cookies' )->warning( + 'Cookies set on {url} with Cache-Control "{cache-control}"', [ + 'url' => WebRequest::getGlobalRequestURL(), + 'cookies' => $headers['set-cookie'], + 'cache-control' => $cacheControl ?: '', + ] + ); + } + } + } ); +} + MWExceptionHandler::installHandler(); require_once "$IP/includes/compat/normal/UtfNormalUtil.php"; diff --git a/includes/WebRequest.php b/includes/WebRequest.php index ce5cb96190..812a320f91 100644 --- a/includes/WebRequest.php +++ b/includes/WebRequest.php @@ -719,13 +719,13 @@ class WebRequest { } /** - * Return the path and query string portion of the request URI. + * Return the path and query string portion of the main request URI. * This will be suitable for use as a relative link in HTML output. * * @throws MWException * @return string */ - public function getRequestURL() { + public static function getGlobalRequestURL() { if ( isset( $_SERVER['REQUEST_URI'] ) && strlen( $_SERVER['REQUEST_URI'] ) ) { $base = $_SERVER['REQUEST_URI']; } elseif ( isset( $_SERVER['HTTP_X_ORIGINAL_URL'] ) @@ -762,6 +762,17 @@ class WebRequest { } } + /** + * Return the path and query string portion of the request URI. + * This will be suitable for use as a relative link in HTML output. + * + * @throws MWException + * @return string + */ + public function getRequestURL() { + return self::getGlobalRequestURL(); + } + /** * Return the request URI with the canonical service and hostname, path, * and query string. This will be suitable for use as an absolute link