Anomie has uploaded a new change for review.
https://gerrit.wikimedia.org/r/294348
Change subject: API: Log non-whitelisted CORS requests with session cookies
......................................................................
API: Log non-whitelisted CORS requests with session cookies
As requested in T62835#1794915, this logs requests that have an Origin
header that isn't whitelisted and have "session" cookies (defined as
"cookies that SessionManager says to vary on").
Change-Id: I3e34ff1e3a0a3f63c709ee95aa5cf8309fbc4367
---
M includes/api/ApiMain.php
1 file changed, 39 insertions(+), 9 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core
refs/changes/48/294348/1
diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php
index ce9587f..43cc088 100644
--- a/includes/api/ApiMain.php
+++ b/includes/api/ApiMain.php
@@ -171,22 +171,53 @@
if ( isset( $request ) ) {
$this->getContext()->setRequest( $request );
+ } else {
+ $request = $this->getRequest();
}
- $this->mInternalMode = ( $this->getRequest() instanceof
FauxRequest );
+ $this->mInternalMode = ( $request instanceof FauxRequest );
// Special handling for the main module: $parent === $this
parent::__construct( $this, $this->mInternalMode ? 'main_int' :
'main' );
- if ( !$this->mInternalMode ) {
- // Impose module restrictions.
- // If the current user cannot read,
- // Remove all modules other than login
- global $wgUser;
+ $config = $this->getConfig();
+ if ( !$this->mInternalMode ) {
+ // Log if a request with a non-whitelisted Origin
header is seen
+ // with session cookies.
+ $originHeader = $request->getHeader( 'Origin' );
+ if ( $originHeader === false ) {
+ $origins = [];
+ } else {
+ $originHeader = trim( $originHeader );
+ $origins = preg_split( '/\s+/', $originHeader );
+ }
+ $sessionCookies = array_intersect(
+ array_keys( $_COOKIE ),
+
MediaWiki\Session\SessionManager::singleton()->getVaryCookies()
+ );
+ if ( $origins && $sessionCookies && (
+ count( $origins ) !== 1 || !self::matchOrigin(
+ $origins[0],
+ $config->get( 'CrossSiteAJAXdomains' ),
+ $config->get(
'CrossSiteAJAXdomainExceptions' )
+ )
+ ) ) {
+ MediaWiki\Logger\LoggerFactory::getInstance(
'cors' )->warning(
+ 'Non-whitelisted CORS request with
session cookies', [
+ 'origin' => $originHeader,
+ 'cookies' => $sessionCookies,
+ 'ip' => $request->getIP(),
+ 'userAgent' =>
$this->getUserAgent(),
+ 'wiki' => wfWikiID(),
+ ]
+ );
+ }
+
+ // If we're in a mode that breaks the same-origin
policy, strip
+ // user credentials for security.
if ( $this->lacksSameOriginSecurity() ) {
- // If we're in a mode that breaks the
same-origin policy, strip
- // user credentials for security.
+ global $wgUser;
wfDebug( "API: stripping user credentials when
the same-origin policy is not applied\n" );
$wgUser = new User();
$this->getContext()->setUser( $wgUser );
@@ -211,7 +242,6 @@
}
}
- $config = $this->getConfig();
$this->mModuleMgr = new ApiModuleManager( $this );
$this->mModuleMgr->addModules( self::$Modules, 'action' );
$this->mModuleMgr->addModules( $config->get( 'APIModules' ),
'action' );
--
To view, visit https://gerrit.wikimedia.org/r/294348
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I3e34ff1e3a0a3f63c709ee95aa5cf8309fbc4367
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: master
Gerrit-Owner: Anomie <bjor...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
