[MediaWiki-commits] [Gerrit] SECURITY: Don't cache when a call could autocreate - change (mediawiki/core)

Thu, 14 Nov 2013 14:38:22 -0800 

CSteipp has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/95558


Change subject: SECURITY: Don't cache when a call could autocreate
......................................................................

SECURITY: Don't cache when a call could autocreate

Fixes for action=raw (used when sites include other site's javascript),
and stashed images.

Bug: 53032
Change-Id: I8f915f6a4756f750c74d9ee9bec58f7ba6c0c827
---
M includes/actions/RawAction.php
M includes/specials/SpecialUploadStash.php
2 files changed, 5 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core 
refs/changes/58/95558/1

diff --git a/includes/actions/RawAction.php b/includes/actions/RawAction.php
index 1a451b7..a0116fb 100644
--- a/includes/actions/RawAction.php
+++ b/includes/actions/RawAction.php
@@ -94,6 +94,9 @@
                # Output may contain user-specific data;
                # vary generated content for open sessions on private wikis
                $privateCache = !User::isEveryoneAllowed( 'read' ) && ( 
$smaxage == 0 || session_id() != '' );
+               // Bug 53032 - make this private if user is logged in,
+               // so we don't accidentally cache cookies
+               $privateCache = $privateCache ?: $this->getUser()->isLoggedIn();
                # allow the client to cache this for 24 hours
                $mode = $privateCache ? 'private' : 'public';
                $response->header(
diff --git a/includes/specials/SpecialUploadStash.php 
b/includes/specials/SpecialUploadStash.php
index 87b6442..1373df1 100644
--- a/includes/specials/SpecialUploadStash.php
+++ b/includes/specials/SpecialUploadStash.php
@@ -308,6 +308,8 @@
                header( "Content-Type: $contentType", true );
                header( 'Content-Transfer-Encoding: binary', true );
                header( 'Expires: Sun, 17-Jan-2038 19:14:07 GMT', true );
+               // Bug 53032 - It shouldn't be a problem here, but let's be 
safe and not cache
+               header( 'Cache-Control: private' );
                header( "Content-Length: $size", true );
        }
 

-- 
To view, visit https://gerrit.wikimedia.org/r/95558
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I8f915f6a4756f750c74d9ee9bec58f7ba6c0c827
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: master
Gerrit-Owner: CSteipp <cste...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to