From af3b10287e4b4de8360ea57c400c7b8ed71596a1 Mon Sep 17 00:00:00 2001
From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Sun, 31 Jan 2016 15:43:00 -0500
Subject: [PATCH] SECURITY: RawAction: Vary on the usual headers

This avoids edge cases where the user isn't logged in but we still need
varying for proper cache behavior.

Bug: T125283
Change-Id: I43cde3a48371e62a16bda1291b1b51986e60fe4c

Signed-off-by: Chad Horohoe <chadh@wikimedia.org>
---
 includes/OutputPage.php        | 5 +++++
 includes/actions/RawAction.php | 6 ++++++
 2 files changed, 11 insertions(+)

diff --git a/includes/OutputPage.php b/includes/OutputPage.php
index 67e9a4ff82..d8600c1ef5 100644
--- a/includes/OutputPage.php
+++ b/includes/OutputPage.php
@@ -2026,6 +2026,11 @@ class OutputPage extends ContextSource {
 	 * @return string
 	 */
 	public function getVaryHeader() {
+		// If we vary on cookies, let's make sure it's always included here too.
+		if ( $this->getCacheVaryCookies() ) {
+			$this->addVaryHeader( 'Cookie' );
+		}
+
 		foreach ( SessionManager::singleton()->getVaryHeaders() as $header => $options ) {
 			$this->addVaryHeader( $header, $options );
 		}
diff --git a/includes/actions/RawAction.php b/includes/actions/RawAction.php
index c7b18a4ba1..5bf24f60e6 100644
--- a/includes/actions/RawAction.php
+++ b/includes/actions/RawAction.php
@@ -80,6 +80,12 @@ class RawAction extends FormlessAction {
 			}
 		}
 
+		// Set standard Vary headers so cache varies on cookies and such (T125283)
+		$response->header( $this->getOutput()->getVaryHeader() );
+		if ( $config->get( 'UseKeyHeader' ) ) {
+			$response->header( $this->getOutput()->getKeyHeader() );
+		}
+
 		$response->header( 'Content-type: ' . $contentType . '; charset=UTF-8' );
 		// Output may contain user-specific data;
 		// vary generated content for open sessions on private wikis
-- 
2.20.1