master/php/HeaderCallback_8php_source.html

<?php


namespace MediaWiki\Request;


use MediaWiki\Debug\MWDebug;

use MediaWiki\Http\Telemetry;

use MediaWiki\Logger\LoggerFactory;

use RuntimeException;


class HeaderCallback {

    private static $headersSentException;

    private static $messageSent = false;


    public static function register() {

        // T261260 load the WebRequest class, which will be needed in callback().

        // Autoloading seems unreliable in header callbacks, and in the case of a web

        // request (ie. in all cases where the request might be performance-sensitive)

        // it will have to be loaded at some point anyway.

        // This can be removed once we require PHP 8.0+.

        class_exists( WebRequest::class );

        class_exists( Telemetry::class );


        header_register_callback( [ __CLASS__, 'callback' ] );

    }


    public static function callback() {

        // Prevent caching of responses with cookies (T127993)

        $headers = [];

        foreach ( headers_list() as $header ) {

            $header = explode( ':', $header, 2 );


            // Note: The code below (currently) does not care about value-less headers

            if ( isset( $header[1] ) ) {

                $headers[ strtolower( trim( $header[0] ) ) ][] = trim( $header[1] );

            }

        }


        if ( isset( $headers['set-cookie'] ) ) {

            $cacheControl = isset( $headers['cache-control'] )

                ? implode( ', ', $headers['cache-control'] )

                : '';


            if ( !preg_match( '/(?:^|,)\s*(?:private|no-cache|no-store)\s*(?:$|,)/i',

                $cacheControl )

            ) {

                header( 'Expires: Thu, 01 Jan 1970 00:00:00 GMT' );

                header( 'Cache-Control: private, max-age=0, s-maxage=0' );

                LoggerFactory::getInstance( 'cache-cookies' )->warning(

                    'Cookies set on {url} with Cache-Control "{cache-control}"', [

                        'url' => WebRequest::getGlobalRequestURL(),

                        'set-cookie' => self::sanitizeSetCookie( $headers['set-cookie'] ),

                        'cache-control' => $cacheControl ?: '<not set>',

                    ]

                );

            }

        }


        $telemetryHeaders = Telemetry::getInstance()->getRequestHeaders();

        // Set the request ID/trace prams on the response, so edge infrastructure can log it.

        // FIXME this is not an ideal place to do it, but the most reliable for now.

        foreach ( $telemetryHeaders as $header => $value ) {

            if ( !isset( $headers[strtolower( $header )] ) ) {

                header( "$header: $value" );

            }

        }


        // Save a backtrace for logging in case it turns out that headers were sent prematurely

        self::$headersSentException = new RuntimeException( 'Headers already sent from this point' );

    }


    public static function warnIfHeadersSent() {

        if ( !self::$messageSent && headers_sent( $filename, $line ) ) {

            self::$messageSent = true;

            MWDebug::warning( 'Headers already sent, should send headers earlier than ' .

                wfGetCaller( 3 ) );

            $logger = LoggerFactory::getInstance( 'headers-sent' );

            $logger->error( 'Warning: headers were already sent (output started at ' . $filename . ':' . $line . ')', [

                'exception' => self::$headersSentException,

                'detection-trace' => new RuntimeException( 'Detected here' ),

            ] );

        }

    }


    public static function sanitizeSetCookie( array $values ) {

        $sanitizedValues = [];

        foreach ( $values as $value ) {

            // Set-Cookie header format: <cookie-name>=<cookie-value>; <non-sensitive attributes>

            $parts = explode( ';', $value );

            [ $name, $value ] = explode( '=', $parts[0], 2 );

            if ( strlen( $value ) > 8 ) {

                $value = substr( $value, 0, 8 ) . '...';

                $parts[0] = "$name=$value";

            }

            $sanitizedValues[] = implode( ';', $parts );

        }

        return implode( "\n", $sanitizedValues );

    }


}


wfGetCaller
wfGetCaller( $level=2)
Get the name of the function which called this function wfGetCaller( 1 ) is the function with the wfG...
Definition GlobalFunctions.php:1008

MediaWiki\Debug\MWDebug
Debug toolbar.
Definition MWDebug.php:49

MediaWiki\Http\Telemetry
Service for handling telemetry data.
Definition Telemetry.php:29

MediaWiki\Logger\LoggerFactory
Create PSR-3 logger objects.
Definition LoggerFactory.php:46

MediaWiki\Request\HeaderCallback
Definition HeaderCallback.php:13

MediaWiki\Request\HeaderCallback\warnIfHeadersSent
static warnIfHeadersSent()
Log a warning message if headers have already been sent.
Definition HeaderCallback.php:94

MediaWiki\Request\HeaderCallback\callback
static callback()
The callback, which is called by the transport.
Definition HeaderCallback.php:43

MediaWiki\Request\HeaderCallback\sanitizeSetCookie
static sanitizeSetCookie(array $values)
Sanitize Set-Cookie headers for logging.
Definition HeaderCallback.php:112

MediaWiki\Request\WebRequest\getGlobalRequestURL
static getGlobalRequestURL()
Return the path and query string portion of the main request URI.
Definition WebRequest.php:949

MediaWiki\Request
Definition ContentSecurityPolicy.php:21