From ac194c1dc98fc9d6645f4e7bc100c22133e2ff19 Mon Sep 17 00:00:00 2001 From: Brad Jorsch Date: Sun, 31 Jan 2016 15:43:00 -0500 Subject: [PATCH] SECURITY: RawAction: Vary on the usual headers This avoids edge cases where the user isn't logged in but we still need varying for proper cache behavior. Bug: T125283 Change-Id: I43cde3a48371e62a16bda1291b1b51986e60fe4c --- includes/OutputPage.php | 5 +++++ includes/actions/RawAction.php | 6 ++++++ 2 files changed, 11 insertions(+) diff --git a/includes/OutputPage.php b/includes/OutputPage.php index 50c16a2..f60960d 100644 --- a/includes/OutputPage.php +++ b/includes/OutputPage.php @@ -2014,6 +2014,11 @@ class OutputPage extends ContextSource { * @return string */ public function getVaryHeader() { + // If we vary on cookies, let's make sure it's always included here too. + if ( $this->getCacheVaryCookies() ) { + $this->addVaryHeader( 'Cookie' ); + } + return 'Vary: ' . join( ', ', array_keys( $this->mVaryHeader ) ); } diff --git a/includes/actions/RawAction.php b/includes/actions/RawAction.php index 727bed2..d9886b3 100644 --- a/includes/actions/RawAction.php +++ b/includes/actions/RawAction.php @@ -94,6 +94,12 @@ class RawAction extends FormlessAction { $response = $request->response(); + // Set standard Vary headers so cache varies on cookies and such (T125283) + $response->header( $this->getOutput()->getVaryHeader() ); + if ( $config->get( 'UseXVO' ) ) { + $response->header( $this->getOutput()->getXVO() ); + } + $response->header( 'Content-type: ' . $contentType . '; charset=UTF-8' ); # Output may contain user-specific data; # vary generated content for open sessions on private wikis -- 2.7.4 (Apple Git-66)