X-Git-Url: https://git.heureux-cyclage.org/?p=lhc%2Fweb%2Fwiklou.git;a=blobdiff_plain;f=includes%2Fapi%2FApiCSPReport.php;h=f53d2b93c2a86c3386119d67ab6cb54b50fdfe39;hp=1584164fb1b2990893774455611680ec9c2bda15;hb=f79c9e6ca3c02090d6d56eaecb2ab90d4198b2b9;hpb=0ca1b8a0e621c939dfdf81035b73d23d94098894 diff --git a/includes/api/ApiCSPReport.php b/includes/api/ApiCSPReport.php index 1584164fb1..f53d2b93c2 100644 --- a/includes/api/ApiCSPReport.php +++ b/includes/api/ApiCSPReport.php @@ -54,7 +54,7 @@ class ApiCSPReport extends ApiBase { // XXX Is it ok to put untrusted data into log?? 'csp-report' => $report, 'method' => __METHOD__, - 'user' => $this->getUser()->getName(), + 'user_id' => $this->getUser()->getId() || 'logged-out', 'user-agent' => $userAgent, 'source' => $this->getParameter( 'source' ), ] ); @@ -209,15 +209,32 @@ class ApiCSPReport extends ApiBase { $flagText = '[' . implode( ', ', $flags ) . ']'; } - $blockedFile = $report['blocked-uri'] ?? 'n/a'; + $blockedOrigin = isset( $report['blocked-uri'] ) + ? $this->originFromUrl( $report['blocked-uri'] ) + : 'n/a'; $page = $report['document-uri'] ?? 'n/a'; - $line = isset( $report['line-number'] ) ? ':' . $report['line-number'] : ''; + $line = isset( $report['line-number'] ) + ? ':' . $report['line-number'] + : ''; $warningText = $flagText . - ' Received CSP report: <' . $blockedFile . - '> blocked from being loaded on <' . $page . '>' . $line; + ' Received CSP report: <' . $blockedOrigin . '>' . + ' blocked from being loaded on <' . $page . '>' . $line; return $warningText; } + /** + * @param string $url + * @return string + */ + private function originFromUrl( $url ) { + $bits = wfParseUrl( $url ); + unset( $bits['user'], $bits['pass'], $bits['query'], $bits['fragment'] ); + $bits['path'] = ''; + $serverUrl = wfAssembleUrl( $bits ); + // e.g. "https://example.org" from "https://example.org/foo/b?a#r" + return $serverUrl; + } + /** * Stop processing the request, and output/log an error *