Skip to content
Permalink
Browse files

SECURITY: RawAction: Vary on the usual headers

This avoids edge cases where the user isn't logged in but we still need
varying for proper cache behavior.

Bug: T125283
Change-Id: I43cde3a48371e62a16bda1291b1b51986e60fe4c

Signed-off-by: Chad Horohoe <chadh@wikimedia.org>
  • Loading branch information...
Brad Jorsch authored and demon committed Jan 31, 2016
1 parent f459c1a commit af3b10287e4b4de8360ea57c400c7b8ed71596a1
Showing with 11 additions and 0 deletions.
  1. +5 −0 includes/OutputPage.php
  2. +6 −0 includes/actions/RawAction.php
@@ -2026,6 +2026,11 @@ public function addVaryHeader( $header, array $option = null ) {
* @return string
*/
public function getVaryHeader() {
// If we vary on cookies, let's make sure it's always included here too.
if ( $this->getCacheVaryCookies() ) {
$this->addVaryHeader( 'Cookie' );
}
foreach ( SessionManager::singleton()->getVaryHeaders() as $header => $options ) {
$this->addVaryHeader( $header, $options );
}
@@ -80,6 +80,12 @@ function onView() {
}
}
// Set standard Vary headers so cache varies on cookies and such (T125283)
$response->header( $this->getOutput()->getVaryHeader() );
if ( $config->get( 'UseKeyHeader' ) ) {
$response->header( $this->getOutput()->getKeyHeader() );
}
$response->header( 'Content-type: ' . $contentType . '; charset=UTF-8' );
// Output may contain user-specific data;
// vary generated content for open sessions on private wikis

0 comments on commit af3b102

Please sign in to comment.
You can’t perform that action at this time.