From 1d09e22cd90ec277752646a75f5e638a5191c284 Mon Sep 17 00:00:00 2001 From: Matt Walker Date: Tue, 20 Aug 2013 17:48:54 -0700 Subject: [PATCH] Ensure requests are not cached with session data Remove caching for CN special pages when a user is logged in. This removes the possibility of a user being autologged in to the infrastructure wiki and a caching server collecting the Set-Header data. Bug: 53032 Change-Id: I59001b82e49b65b035ddc60ed91687c4edefffad --- special/SpecialBannerLoader.php | 14 +++++++------- special/SpecialBannerRandom.php | 10 ++++++++-- special/SpecialCNReporter.php | 10 ++++++++-- special/SpecialRecordImpression.php | 8 +++++++- 4 files changed, 30 insertions(+), 12 deletions(-) diff --git a/special/SpecialBannerLoader.php b/special/SpecialBannerLoader.php index 63156e1..c529ac6 100644 --- a/special/SpecialBannerLoader.php +++ b/special/SpecialBannerLoader.php @@ -77,14 +77,14 @@ class SpecialBannerLoader extends UnlistedSpecialPage { function sendHeaders() { global $wgJsMimeType, $wgNoticeBannerMaxAge; - // If logged in users are previewing banners, give them no delay - // but otherwise use the standard cache period so that we don't - // open too big of a DDoS hole. - $bannerAge = ( $this->getUser()->isLoggedIn() ) ? 0 : $wgNoticeBannerMaxAge; - header( "Content-type: $wgJsMimeType; charset=utf-8" ); - // No client-side banner caching so we get all impressions - header( "Cache-Control: public, s-maxage=$bannerAge, max-age=0" ); + + // If we have a logged in user; do not cache (default for special pages) + // lest we capture a set-cookie header. Otherwise cache so we don't have + // too big of a DDoS hole. + if ( !$this->getUser()->isLoggedIn() ) { + header( "Cache-Control: public, s-maxage={$wgNoticeBannerMaxAge}, max-age=0" ); + } } /** diff --git a/special/SpecialBannerRandom.php b/special/SpecialBannerRandom.php index 1d0acd5..5a5d3e7 100644 --- a/special/SpecialBannerRandom.php +++ b/special/SpecialBannerRandom.php @@ -35,8 +35,14 @@ class SpecialBannerRandom extends SpecialBannerLoader { function sendHeaders() { global $wgJsMimeType, $wgNoticeBannerMaxAge; + header( "Content-type: $wgJsMimeType; charset=utf-8" ); - // No client-side banner caching so we get all impressions - header( "Cache-Control: public, s-maxage={$wgNoticeBannerMaxAge}, max-age=0" ); + + // If we have a logged in user; do not cache (default for special pages) + // lest we capture a set-cookie header. Otherwise cache so we don't have + // too big of a DDoS hole. + if ( !$this->getUser()->isLoggedIn() ) { + header( "Cache-Control: public, s-maxage={$wgNoticeBannerMaxAge}, max-age=0" ); + } } } diff --git a/special/SpecialCNReporter.php b/special/SpecialCNReporter.php index a4ff307..fec7904 100644 --- a/special/SpecialCNReporter.php +++ b/special/SpecialCNReporter.php @@ -40,7 +40,13 @@ EOT; * Generate the HTTP response headers for the banner file */ function sendHeaders() { - global $wgNoticeBannerMaxAge; - header( "Cache-Control: public, s-maxage={$wgNoticeBannerMaxAge}, max-age=0" ); + $expiry = SpecialRecordImpression::CACHE_EXPIRY; + + // If we have a logged in user; do not cache (default for special pages) + // lest we capture a set-cookie header. Otherwise cache so we don't have + // too big of a DDoS hole. + if ( !$this->getUser()->isLoggedIn() ) { + header( "Cache-Control: public, s-maxage={$expiry}, max-age=0" ); + } } } diff --git a/special/SpecialRecordImpression.php b/special/SpecialRecordImpression.php index ee96547..ca0f4e0 100644 --- a/special/SpecialRecordImpression.php +++ b/special/SpecialRecordImpression.php @@ -25,6 +25,12 @@ class SpecialRecordImpression extends UnlistedSpecialPage { function sendHeaders() { $expiry = static::CACHE_EXPIRY; header( "Content-Type: image/png" ); - header( "Cache-Control: public, s-maxage={$expiry}, max-age=0" ); + + // If we have a logged in user; do not cache (default for special pages) + // lest we capture a set-cookie header. Otherwise cache so we don't have + // too big of a DDoS hole. + if ( !$this->getUser()->isLoggedIn() ) { + header( "Cache-Control: public, s-maxage={$expiry}, max-age=0" ); + } } } -- 1.7.10.4