API: Make output containing private or user-specific data uncacheable for logged-in users by setting Vary: Cookie or Cache-Control: private, whichever is appropriate. Fixes instances in core and WMF-deployed extensions only. Without this change, the output of requests like ?action=query&list=recentchanges&rcprop=patrolled&smaxage=3600 would be cached in Squid and viewable for anyone using the same URL, even if they don't have patrol rights. Other, more serious exploits are also possible. Also avoid using $wgUser in one place, kill some unused global $wgUser; instances and tweak a comment.
18 files changed: