X-Git-Url: https://git.heureux-cyclage.org/?p=lhc%2Fweb%2Fwiklou.git;a=blobdiff_plain;f=includes%2Fapi%2FApiMain.php;h=5cb7967d33bf5f6d50957fb4e56ce2a5e9333f0c;hp=00f976e9075afb419bf5afc5e1f950e445d9b32d;hb=509c8d6e378a8decae43dcb27276ddae40dc1143;hpb=718241d779a095f93f9f56b06e8cd647053cb79c diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php index 00f976e907..5cb7967d33 100644 --- a/includes/api/ApiMain.php +++ b/includes/api/ApiMain.php @@ -236,6 +236,7 @@ class ApiMain extends ApiBase { wfDebug( "API: stripping user credentials when the same-origin policy is not applied\n" ); $wgUser = new User(); $this->getContext()->setUser( $wgUser ); + $request->response()->header( 'MediaWiki-Login-Suppressed: true' ); } } @@ -703,13 +704,17 @@ class ApiMain extends ApiBase { $request = $this->getRequest(); $response = $request->response(); - $matchOrigin = false; + $matchedOrigin = false; $allowTiming = false; $varyOrigin = true; if ( $originParam === '*' ) { // Request for anonymous CORS - $matchOrigin = true; + // Technically we should check for the presence of an Origin header + // and not process it as CORS if it's not set, but that would + // require us to vary on Origin for all 'origin=*' requests which + // we don't want to do. + $matchedOrigin = true; $allowOrigin = '*'; $allowCredentials = 'false'; $varyOrigin = false; // No need to vary @@ -736,7 +741,7 @@ class ApiMain extends ApiBase { } $config = $this->getConfig(); - $matchOrigin = count( $origins ) === 1 && self::matchOrigin( + $matchedOrigin = count( $origins ) === 1 && self::matchOrigin( $originParam, $config->get( 'CrossSiteAJAXdomains' ), $config->get( 'CrossSiteAJAXdomainExceptions' ) @@ -747,19 +752,21 @@ class ApiMain extends ApiBase { $allowTiming = $originHeader; } - if ( $matchOrigin ) { + if ( $matchedOrigin ) { $requestedMethod = $request->getHeader( 'Access-Control-Request-Method' ); $preflight = $request->getMethod() === 'OPTIONS' && $requestedMethod !== false; if ( $preflight ) { // This is a CORS preflight request if ( $requestedMethod !== 'POST' && $requestedMethod !== 'GET' ) { // If method is not a case-sensitive match, do not set any additional headers and terminate. + $response->header( 'MediaWiki-CORS-Rejection: Unsupported method requested in preflight' ); return true; } // We allow the actual request to send the following headers $requestedHeaders = $request->getHeader( 'Access-Control-Request-Headers' ); if ( $requestedHeaders !== false ) { if ( !self::matchRequestedHeaders( $requestedHeaders ) ) { + $response->header( 'MediaWiki-CORS-Rejection: Unsupported header requested in preflight' ); return true; } $response->header( 'Access-Control-Allow-Headers: ' . $requestedHeaders ); @@ -767,6 +774,12 @@ class ApiMain extends ApiBase { // We only allow the actual request to be GET or POST $response->header( 'Access-Control-Allow-Methods: POST, GET' ); + } elseif ( $request->getMethod() !== 'POST' && $request->getMethod() !== 'GET' ) { + // Unsupported non-preflight method, don't handle it as CORS + $response->header( + 'MediaWiki-CORS-Rejection: Unsupported method for simple request or actual request' + ); + return true; } $response->header( "Access-Control-Allow-Origin: $allowOrigin" ); @@ -778,9 +791,12 @@ class ApiMain extends ApiBase { if ( !$preflight ) { $response->header( - 'Access-Control-Expose-Headers: MediaWiki-API-Error, Retry-After, X-Database-Lag' + 'Access-Control-Expose-Headers: MediaWiki-API-Error, Retry-After, X-Database-Lag, ' + . 'MediaWiki-Login-Suppressed' ); } + } else { + $response->header( 'MediaWiki-CORS-Rejection: Origin mismatch' ); } if ( $varyOrigin ) {