From b30709e27e9935bcc9711c3b1c33f66f19e163bf Mon Sep 17 00:00:00 2001
From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Sun, 31 Jan 2016 15:43:00 -0500
Subject: [PATCH] SECURITY: RawAction: Vary on the usual headers

This avoids edge cases where the user isn't logged in but we still need
varying for proper cache behavior.

Bug: T125283
Change-Id: I43cde3a48371e62a16bda1291b1b51986e60fe4c
---
 includes/OutputPage.php        | 5 +++++
 includes/actions/RawAction.php | 6 ++++++
 2 files changed, 11 insertions(+)

diff --git a/includes/OutputPage.php b/includes/OutputPage.php
index 564c490..2048b7c 100644
--- a/includes/OutputPage.php
+++ b/includes/OutputPage.php
@@ -1835,6 +1835,11 @@ class OutputPage extends ContextSource {
 	 * @return string
 	 */
 	public function getVaryHeader() {
+		// If we vary on cookies, let's make sure it's always included here too.
+		if ( $this->getCacheVaryCookies() ) {
+			$this->addVaryHeader( 'Cookie' );
+		}
+
 		return 'Vary: ' . join( ', ', array_keys( $this->mVaryHeader ) );
 	}
 
diff --git a/includes/actions/RawAction.php b/includes/actions/RawAction.php
index 1b72662..f394e13 100644
--- a/includes/actions/RawAction.php
+++ b/includes/actions/RawAction.php
@@ -91,6 +91,12 @@ class RawAction extends FormlessAction {
 
 		$response = $request->response();
 
+		// Set standard Vary headers so cache varies on cookies and such (T125283)
+		$response->header( $this->getOutput()->getVaryHeader() );
+		if ( $wgUseXVO ) {
+			$response->header( $this->getOutput()->getXVO() );
+		}
+
 		$response->header( 'Content-type: ' . $contentType . '; charset=UTF-8' );
 		# Output may contain user-specific data;
 		# vary generated content for open sessions on private wikis
-- 
2.7.4 (Apple Git-66)