Skip to content

Commit

Permalink
SECURITY: RawAction: Vary on the usual headers
Browse files Browse the repository at this point in the history 
This avoids edge cases where the user isn't logged in but we still need
varying for proper cache behavior.

Bug: T125283
Change-Id: I43cde3a48371e62a16bda1291b1b51986e60fe4c

Signed-off-by: Chad Horohoe <chadh@wikimedia.org>
  • Loading branch information
@anomiex
anomiex authored and Chad Horohoe committed May 20, 2016
1 parent f459c1a commit af3b102
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 0 deletions.
5 changes: 5 additions & 0 deletions includes/OutputPage.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2026,6 +2026,11 @@ public function addVaryHeader( $header, array $option = null ) {
* @return string
*/
public function getVaryHeader() {
// If we vary on cookies, let's make sure it's always included here too.
if ( $this->getCacheVaryCookies() ) {
$this->addVaryHeader( 'Cookie' );
}

foreach ( SessionManager::singleton()->getVaryHeaders() as $header => $options ) {
$this->addVaryHeader( $header, $options );
}
Expand Down
6 changes: 6 additions & 0 deletions includes/actions/RawAction.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,12 @@ function onView() {
}
}

// Set standard Vary headers so cache varies on cookies and such (T125283)
$response->header( $this->getOutput()->getVaryHeader() );
if ( $config->get( 'UseKeyHeader' ) ) {
$response->header( $this->getOutput()->getKeyHeader() );
}

$response->header( 'Content-type: ' . $contentType . '; charset=UTF-8' );
// Output may contain user-specific data;
// vary generated content for open sessions on private wikis
Expand Down

0 comments on commit af3b102

Please sign in to comment.