Chad has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/332643 )
Change subject: MWMultiVersion: Better handling for bogus host headers ...................................................................... MWMultiVersion: Better handling for bogus host headers A 500 internal server error implies to the client that something is busted on our end and to please try again later. These invalid host errors are not that. We're working perfectly, but clients are requesting bogus host values (usually of the form 'wikipedia' with no tld or lang code subdomain). There are the client's responsibility to fix. Returning 400 Bad Request not only feels more correct, it's the right thing to do... From https://tools.ietf.org/html/rfc7230#section-5.4 """ A server MUST respond with a 400 (Bad Request) status code to any HTTP/1.1 request message that lacks a Host header field and to any request message that contains more than one Host header field or a Host header field with an invalid field-value. """ Not actually logging this might be better, but we can save that for a followup since the error() function is being abused for a couple of different purposes Change-Id: Ic9da694ca884d9998b45d080404946200a45bb1e --- M multiversion/MWMultiVersion.php 1 file changed, 15 insertions(+), 5 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/mediawiki-config refs/changes/43/332643/1 diff --git a/multiversion/MWMultiVersion.php b/multiversion/MWMultiVersion.php index 44fdb58..9132f40 100644 --- a/multiversion/MWMultiVersion.php +++ b/multiversion/MWMultiVersion.php @@ -174,7 +174,7 @@ $site = $matches[2]; } } else { - self::error( "Invalid host name ($serverName).\n" ); + self::error( "Invalid host name ($serverName).\n", 400 ); } } elseif ( preg_match( '/^(.*)\.([a-z]+)\.org$/', $serverName, $matches ) ) { $lang = $matches[1]; @@ -193,7 +193,7 @@ $ip = @$_SERVER['REQUEST_ADDR']; $xff = @$_SERVER['HTTP_X_FORWARDED_FOR']; $request = @$_SERVER['REQUEST_URI']; - self::error( "Invalid host name (server: $serverName, request: $request, ip: $ip, xff: $xff).\n" ); + self::error( "Invalid host name (server: $serverName, request: $request, ip: $ip, xff: $xff).\n", 400 ); } $this->loadDBFromSite( $site, $lang ); } @@ -354,14 +354,24 @@ /** * Error out and exit(1); - * @param $msg String + * @param string $msg Error to show to the client + * @param int $httpError HTTP header error code * @return void */ - private static function error( $msg ) { + private static function error( $msg, $httpError = 500 ) { $msg = (string)$msg; if ( PHP_SAPI !== 'cli' ) { $msg = htmlspecialchars( $msg ); - header( 'HTTP/1.1 500 Internal server error' ); + switch( $httpError ) { + case 400: + $httpMsg = 'Bad Request'; + break; + case 500: + default: + $httpMsg = 'Internal server error'; + break; + } + header( "HTTP/1.1 $httpError $httpMsg" ); } echo $msg; trigger_error( $msg, E_USER_ERROR ); -- To view, visit https://gerrit.wikimedia.org/r/332643 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ic9da694ca884d9998b45d080404946200a45bb1e Gerrit-PatchSet: 1 Gerrit-Project: operations/mediawiki-config Gerrit-Branch: master Gerrit-Owner: Chad <ch...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
