SECURITY: RawAction: Vary on the usual headers

This avoids edge cases where the user isn't logged in but we still need
varying for proper cache behavior.

Bug: T125283
Change-Id: I43cde3a48371e62a16bda1291b1b51986e60fe4c

Signed-off-by: Chad Horohoe <chadh@wikimedia.org>

diff --git a/includes/OutputPage.php b/includes/OutputPage.php
index 67e9a4f..d8600c1 100644 (file)
--- a/includes/OutputPage.php
+++ b/includes/OutputPage.php
@@ -2026,6 +2026,11 @@ class OutputPage extends ContextSource {
         * @return string
         */
        public function getVaryHeader() {
+               // If we vary on cookies, let's make sure it's always included here too.
+               if ( $this->getCacheVaryCookies() ) {
+                       $this->addVaryHeader( 'Cookie' );
+               }
+
                foreach ( SessionManager::singleton()->getVaryHeaders() as $header => $options ) {
                        $this->addVaryHeader( $header, $options );
                }

diff --git a/includes/actions/RawAction.php b/includes/actions/RawAction.php
index c7b18a4..5bf24f6 100644 (file)
--- a/includes/actions/RawAction.php
+++ b/includes/actions/RawAction.php
@@ -80,6 +80,12 @@ class RawAction extends FormlessAction {
                        }
                }
 
+               // Set standard Vary headers so cache varies on cookies and such (T125283)
+               $response->header( $this->getOutput()->getVaryHeader() );
+               if ( $config->get( 'UseKeyHeader' ) ) {
+                       $response->header( $this->getOutput()->getKeyHeader() );
+               }
+
                $response->header( 'Content-type: ' . $contentType . '; charset=UTF-8' );
                // Output may contain user-specific data;
                // vary generated content for open sessions on private wikis