ApiCSPReport: Fix undefined $userAgent variable

[lhc/web/wiklou.git] / includes / api / ApiCSPReport.php

diff --git a/includes/api/ApiCSPReport.php b/includes/api/ApiCSPReport.php
index a4631d6..82a7cce 100644 (file)
--- a/includes/api/ApiCSPReport.php
+++ b/includes/api/ApiCSPReport.php
@@ -47,7 +47,7 @@ class ApiCSPReport extends ApiBase {
 
                $this->verifyPostBodyOk();
                $report = $this->getReport();
-               $flags = $this->getFlags( $report );
+               $flags = $this->getFlags( $report, $userAgent );
 
                $warningText = $this->generateLogLine( $flags, $report );
                $this->logReport( $flags, $warningText, [
@@ -81,9 +81,10 @@ class ApiCSPReport extends ApiBase {
         * Get extra notes about the report.
         *
         * @param array $report The CSP report
+        * @param string $userAgent
         * @return array
         */
-       private function getFlags( $report ) {
+       private function getFlags( $report, $userAgent ) {
                $reportOnly = $this->getParameter( 'reportonly' );
                $source = $this->getParameter( 'source' );
                $falsePositives = $this->getConfig()->get( 'CSPFalsePositiveUrls' );
@@ -97,12 +98,22 @@ class ApiCSPReport extends ApiBase {
                }
 
                if (
-                       ( isset( $report['blocked-uri'] ) &&
-                       isset( $falsePositives[$report['blocked-uri']] ) )
-                       || ( isset( $report['source-file'] ) &&
-                       isset( $falsePositives[$report['source-file']] ) )
+                       (
+                               ContentSecurityPolicy::falsePositiveBrowser( $userAgent ) &&
+                               $report['blocked-uri'] === "self"
+                       ) ||
+                       (
+                               isset( $report['blocked-uri'] ) &&
+                               isset( $falsePositives[$report['blocked-uri']] )
+                       ) ||
+                       (
+                               isset( $report['source-file'] ) &&
+                               isset( $falsePositives[$report['source-file']] )
+                       )
                ) {
-                       // Report caused by Ad-Ware
+                       // False positive due to:
+                       // https://bugzilla.mozilla.org/show_bug.cgi?id=1026520
+
                        $flags[] = 'false-positive';
                }
                return $flags;
@@ -127,7 +138,7 @@ class ApiCSPReport extends ApiBase {
        /**
         * Get the report from post body and turn into associative array.
         *
-        * @return Array
+        * @return array
         */
        private function getReport() {
                $postBody = $this->getRequest()->getRawInput();
@@ -162,7 +173,7 @@ class ApiCSPReport extends ApiBase {
        private function generateLogLine( $flags, $report ) {
                $flagText = '';
                if ( $flags ) {
-                       $flagText = '[' . implode( $flags, ', ' ) . ']';
+                       $flagText = '[' . implode( ', ', $flags ) . ']';
                }
 
                $blockedFile = isset( $report['blocked-uri'] ) ? $report['blocked-uri'] : 'n/a';
@@ -216,6 +227,7 @@ class ApiCSPReport extends ApiBase {
 
        /**
         * Mark as internal. This isn't meant to be used by normal api users
+        * @return bool
         */
        public function isInternal() {
                return true;
@@ -223,6 +235,7 @@ class ApiCSPReport extends ApiBase {
 
        /**
         * Even if you don't have read rights, we still want your report.
+        * @return bool
         */
        public function isReadMode() {
                return false;
@@ -232,6 +245,7 @@ class ApiCSPReport extends ApiBase {
         * Doesn't touch db, so max lag should be rather irrelavent.
         *
         * Also, this makes sure that reports aren't lost during lag events.
+        * @return bool
         */
        public function shouldCheckMaxLag() {
                return false;