From 8b413431d760ffa8b00a9478f14f5058f033ee7b Mon Sep 17 00:00:00 2001
From: Bryan Davis <bd808@wikimedia.org>
Date: Tue, 23 Feb 2016 23:03:17 -0700
Subject: [PATCH] Guard against allowing intermediate caching when cookies are
 present

Output cache-control headers that disable intermediate caching even if
OutputPage->mEnableClientCache is true when the response includes
set-cookie headers as well. This change mirrors logic that has been in
use on the Wikimedia Foundation production cluster's Varnish cache
system for over 2 years to guard against accidentally caching backend
responses which include Set-Cookie headers.

Co-Author: Max Semenik <maxsem.wiki@gmail.com>
Bug: T127993
Change-Id: I1a0d38a5b9dba754b91a7832371b3dc0df51bd5a
---
 includes/OutputPage.php  |  8 ++++++--
 includes/WebResponse.php | 10 ++++++++++
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/includes/OutputPage.php b/includes/OutputPage.php
index 5d1d5d0cdf..dfab03ab3e 100644
--- a/includes/OutputPage.php
+++ b/includes/OutputPage.php
@@ -2213,8 +2213,12 @@ class OutputPage extends ContextSource {
 
 		if ( $this->mEnableClientCache ) {
 			if (
-				$config->get( 'UseSquid' ) && !SessionManager::getGlobalSession()->isPersistent() &&
-				!$this->isPrintable() && $this->mCdnMaxage != 0 && !$this->haveCacheVaryCookies()
+				$config->get( 'UseSquid' ) &&
+				!$response->hasCookies() &&
+				!SessionManager::getGlobalSession()->isPersistent() &&
+				!$this->isPrintable() &&
+				$this->mCdnMaxage != 0 &&
+				!$this->haveCacheVaryCookies()
 			) {
 				if ( $config->get( 'UseESI' ) ) {
 					# We'll purge the proxy cache explicitly, but require end user agents
diff --git a/includes/WebResponse.php b/includes/WebResponse.php
index c7d0a5bea8..458c2079e4 100644
--- a/includes/WebResponse.php
+++ b/includes/WebResponse.php
@@ -179,6 +179,16 @@ class WebResponse {
 	public function clearCookie( $name, $options = [] ) {
 		$this->setCookie( $name, '', time() - 31536000 /* 1 year */, $options );
 	}
+
+	/**
+	 * Checks whether this request is performing cookie operations
+	 *
+	 * @return bool
+	 * @since 1.27
+	 */
+	public function hasCookies() {
+		return (bool)self::$setCookies;
+	}
 }
 
 /**
-- 
2.20.1