MediaWiki REL1_37
HeaderCallback.php
Go to the documentation of this file.
1<?php
2
3namespace MediaWiki;
4
9 private static $headersSentException;
10 private static $messageSent = false;
11
19 public static function register() {
20 // T261260 load the WebRequest class, which will be needed in callback().
21 // Autoloading seems unreliable in header callbacks, and in the case of a web
22 // request (ie. in all cases where the request might be performance-sensitive)
23 // it will have to be loaded at some point anyway.
24 // This can be removed once we require PHP 8.0+.
25 class_exists( \WebRequest::class );
26
27 header_register_callback( [ __CLASS__, 'callback' ] );
28 }
29
35 public static function callback() {
36 // Prevent caching of responses with cookies (T127993)
37 $headers = [];
38 foreach ( headers_list() as $header ) {
39 $header = explode( ':', $header, 2 );
40
41 // Note: The code below (currently) does not care about value-less headers
42 if ( isset( $header[1] ) ) {
43 $headers[ strtolower( trim( $header[0] ) ) ][] = trim( $header[1] );
44 }
45 }
46
47 if ( isset( $headers['set-cookie'] ) ) {
48 $cacheControl = isset( $headers['cache-control'] )
49 ? implode( ', ', $headers['cache-control'] )
50 : '';
51
52 if ( !preg_match( '/(?:^|,)\s*(?:private|no-cache|no-store)\s*(?:$|,)/i',
53 $cacheControl )
54 ) {
55 header( 'Expires: Thu, 01 Jan 1970 00:00:00 GMT' );
56 header( 'Cache-Control: private, max-age=0, s-maxage=0' );
57 \MediaWiki\Logger\LoggerFactory::getInstance( 'cache-cookies' )->warning(
58 'Cookies set on {url} with Cache-Control "{cache-control}"', [
59 'url' => \WebRequest::getGlobalRequestURL(),
60 'set-cookie' => self::sanitizeSetCookie( $headers['set-cookie'] ),
61 'cache-control' => $cacheControl ?: '<not set>',
62 ]
63 );
64 }
65 }
66
67 // Set the request ID on the response, so edge infrastructure can log it.
68 // FIXME this is not an ideal place to do it, but the most reliable for now.
69 if ( !isset( $headers['x-request-id'] ) ) {
70 header( 'X-Request-Id: ' . \WebRequest::getRequestId() );
71 }
72
73 // Save a backtrace for logging in case it turns out that headers were sent prematurely
74 self::$headersSentException = new \Exception( 'Headers already sent from this point' );
75 }
76
83 public static function warnIfHeadersSent() {
84 if ( headers_sent() && !self::$messageSent ) {
85 self::$messageSent = true;
86 \MWDebug::warning( 'Headers already sent, should send headers earlier than ' .
87 wfGetCaller( 3 ) );
88 $logger = \MediaWiki\Logger\LoggerFactory::getInstance( 'headers-sent' );
89 $logger->error( 'Warning: headers were already sent from the location below', [
90 'exception' => self::$headersSentException,
91 'detection-trace' => new \Exception( 'Detected here' ),
92 ] );
93 }
94 }
95
101 public static function sanitizeSetCookie( array $values ) {
102 $sanitizedValues = [];
103 foreach ( $values as $value ) {
104 // Set-Cookie header format: <cookie-name>=<cookie-value>; <non-sensitive attributes>
105 $parts = explode( ';', $value );
106 list( $name, $value ) = explode( '=', $parts[0], 2 );
107 if ( strlen( $value ) > 8 ) {
108 $value = substr( $value, 0, 8 ) . '...';
109 $parts[0] = "$name=$value";
110 }
111 $sanitizedValues[] = implode( ';', $parts );
112 }
113 return implode( "\n", $sanitizedValues );
114 }
115}
wfGetCaller( $level=2)
Get the name of the function which called this function wfGetCaller( 1 ) is the function with the wfG...
static warnIfHeadersSent()
Log a warning message if headers have already been sent.
static sanitizeSetCookie(array $values)
Sanitize Set-Cookie headers for logging.
static callback()
The callback, which is called by the transport.
A helper class for throttling authentication attempts.
$header