From 2ce8dfa6be448b7bbe72a62c4b80bd867cfcf900 Mon Sep 17 00:00:00 2001 From: csteipp Date: Fri, 30 Aug 2013 11:41:55 -0700 Subject: [PATCH] SECURITY: Don't cache when a call could autocreate Fixes for action=raw (used when sites include other site's javascript), and stashed images. Bug: 53032 Change-Id: I8f915f6a4756f750c74d9ee9bec58f7ba6c0c827 --- includes/actions/RawAction.php | 3 +++ includes/specials/SpecialUploadStash.php | 2 ++ 2 files changed, 5 insertions(+) diff --git a/includes/actions/RawAction.php b/includes/actions/RawAction.php index 32751e4..1a2b3cb 100644 --- a/includes/actions/RawAction.php +++ b/includes/actions/RawAction.php @@ -94,6 +94,9 @@ class RawAction extends FormlessAction { # Output may contain user-specific data; # vary generated content for open sessions on private wikis $privateCache = !User::isEveryoneAllowed( 'read' ) && ( $smaxage == 0 || session_id() != '' ); + // Bug 53032 - make this private if user is logged in, + // so we don't accidentally cache cookies + $privateCache = $privateCache ?: $this->getUser()->isLoggedIn(); # allow the client to cache this for 24 hours $mode = $privateCache ? 'private' : 'public'; $response->header( 'Cache-Control: ' . $mode . ', s-maxage=' . $smaxage . ', max-age=' . $maxage ); diff --git a/includes/specials/SpecialUploadStash.php b/includes/specials/SpecialUploadStash.php index e7f36ee..76a543a 100644 --- a/includes/specials/SpecialUploadStash.php +++ b/includes/specials/SpecialUploadStash.php @@ -303,6 +303,8 @@ class SpecialUploadStash extends UnlistedSpecialPage { header( "Content-Type: $contentType", true ); header( 'Content-Transfer-Encoding: binary', true ); header( 'Expires: Sun, 17-Jan-2038 19:14:07 GMT', true ); + // Bug 53032 - It shouldn't be a problem here, but let's be safe and not cache + header( 'Cache-Control: private' ); header( "Content-Length: $size", true ); } -- 1.8.1.4