[MediaWiki-commits] [Gerrit] SECURITY: Don't cache when a call could autocreate - change (mediawiki/core)

Thu, 14 Nov 2013 14:53:15 -0800 

jenkins-bot has submitted this change and it was merged.

Change subject: SECURITY: Don't cache when a call could autocreate
......................................................................


SECURITY: Don't cache when a call could autocreate

Fixes for action=raw (used when sites include other site's javascript),
and stashed images.

Bug: 53032
Change-Id: I8f915f6a4756f750c74d9ee9bec58f7ba6c0c827
---
M includes/actions/RawAction.php
M includes/specials/SpecialUploadStash.php
2 files changed, 7 insertions(+), 0 deletions(-)

Approvals:
  CSteipp: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/includes/actions/RawAction.php b/includes/actions/RawAction.php
index e4c6b3e..f3b7204 100644
--- a/includes/actions/RawAction.php
+++ b/includes/actions/RawAction.php
@@ -79,6 +79,11 @@
                # Output may contain user-specific data;
                # vary generated content for open sessions on private wikis
                $privateCache = !$wgGroupPermissions['*']['read'] && ( $smaxage 
== 0 || session_id() != '' );
+               // Bug 53032 - make this private if user is logged in,
+               // so we don't accidentally cache cookies
+               if ( !$privateCache ) {
+                       $privateCache = $this->getUser()->isLoggedIn();
+               }
                # allow the client to cache this for 24 hours
                $mode = $privateCache ? 'private' : 'public';
                $response->header( 'Cache-Control: ' . $mode . ', s-maxage=' . 
$smaxage . ', max-age=' . $maxage );
diff --git a/includes/specials/SpecialUploadStash.php 
b/includes/specials/SpecialUploadStash.php
index 121b6a4..4c1f5ff 100644
--- a/includes/specials/SpecialUploadStash.php
+++ b/includes/specials/SpecialUploadStash.php
@@ -279,6 +279,8 @@
                header( "Content-Type: $contentType", true );
                header( 'Content-Transfer-Encoding: binary', true );
                header( 'Expires: Sun, 17-Jan-2038 19:14:07 GMT', true );
+               // Bug 53032 - It shouldn't be a problem here, but let's be 
safe and not cache
+               header( 'Cache-Control: private' );
                header( "Content-Length: $size", true );
        }
 

-- 
To view, visit https://gerrit.wikimedia.org/r/95539
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I8f915f6a4756f750c74d9ee9bec58f7ba6c0c827
Gerrit-PatchSet: 2
Gerrit-Project: mediawiki/core
Gerrit-Branch: REL1_19
Gerrit-Owner: CSteipp <cste...@wikimedia.org>
Gerrit-Reviewer: CSteipp <cste...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to