MediaWiki  master
HeaderCallback.php
Go to the documentation of this file.
1 <?php
2 
3 namespace MediaWiki;
4 
9  private static $headersSentException;
10  private static $messageSent = false;
11 
19  public static function register() {
20  // T261260 load the WebRequest class, which will be needed in callback().
21  // Autoloading seems unreliable in header callbacks, and in the case of a web
22  // request (ie. in all cases where the request might be performance-sensitive)
23  // it will have to be loaded at some point anyway.
24  // This can be removed once we require PHP 8.0+.
25  class_exists( \WebRequest::class );
26  // Likewise, cache the request ID.
28 
29  header_register_callback( [ __CLASS__, 'callback' ] );
30  }
31 
37  public static function callback() {
38  // Prevent caching of responses with cookies (T127993)
39  $headers = [];
40  foreach ( headers_list() as $header ) {
41  $header = explode( ':', $header, 2 );
42 
43  // Note: The code below (currently) does not care about value-less headers
44  if ( isset( $header[1] ) ) {
45  $headers[ strtolower( trim( $header[0] ) ) ][] = trim( $header[1] );
46  }
47  }
48 
49  if ( isset( $headers['set-cookie'] ) ) {
50  $cacheControl = isset( $headers['cache-control'] )
51  ? implode( ', ', $headers['cache-control'] )
52  : '';
53 
54  if ( !preg_match( '/(?:^|,)\s*(?:private|no-cache|no-store)\s*(?:$|,)/i',
55  $cacheControl )
56  ) {
57  header( 'Expires: Thu, 01 Jan 1970 00:00:00 GMT' );
58  header( 'Cache-Control: private, max-age=0, s-maxage=0' );
59  \MediaWiki\Logger\LoggerFactory::getInstance( 'cache-cookies' )->warning(
60  'Cookies set on {url} with Cache-Control "{cache-control}"', [
62  'set-cookie' => self::sanitizeSetCookie( $headers['set-cookie'] ),
63  'cache-control' => $cacheControl ?: '<not set>',
64  ]
65  );
66  }
67  }
68 
69  // Set the request ID on the response, so edge infrastructure can log it.
70  // FIXME this is not an ideal place to do it, but the most reliable for now.
71  if ( !isset( $headers['x-request-id'] ) ) {
72  header( 'X-Request-Id: ' . \WebRequest::getRequestId() );
73  }
74 
75  // Save a backtrace for logging in case it turns out that headers were sent prematurely
76  self::$headersSentException = new \Exception( 'Headers already sent from this point' );
77  }
78 
85  public static function warnIfHeadersSent() {
86  if ( headers_sent() && !self::$messageSent ) {
87  self::$messageSent = true;
88  \MWDebug::warning( 'Headers already sent, should send headers earlier than ' .
89  wfGetCaller( 3 ) );
90  $logger = \MediaWiki\Logger\LoggerFactory::getInstance( 'headers-sent' );
91  $logger->error( 'Warning: headers were already sent from the location below', [
92  'exception' => self::$headersSentException,
93  'detection-trace' => new \Exception( 'Detected here' ),
94  ] );
95  }
96  }
97 
103  public static function sanitizeSetCookie( array $values ) {
104  $sanitizedValues = [];
105  foreach ( $values as $value ) {
106  // Set-Cookie header format: <cookie-name>=<cookie-value>; <non-sensitive attributes>
107  $parts = explode( ';', $value );
108  list( $name, $value ) = explode( '=', $parts[0], 2 );
109  if ( strlen( $value ) > 8 ) {
110  $value = substr( $value, 0, 8 ) . '...';
111  $parts[0] = "$name=$value";
112  }
113  $sanitizedValues[] = implode( ';', $parts );
114  }
115  return implode( "\n", $sanitizedValues );
116  }
117 }
MediaWiki\HeaderCallback\callback
static callback()
The callback, which is called by the transport.
Definition: HeaderCallback.php:37
MediaWiki\Logger\LoggerFactory\getInstance
static getInstance( $channel)
Get a named logger instance from the currently configured logger factory.
Definition: LoggerFactory.php:92
MediaWiki\HeaderCallback\sanitizeSetCookie
static sanitizeSetCookie(array $values)
Sanitize Set-Cookie headers for logging.
Definition: HeaderCallback.php:103
MediaWiki
A helper class for throttling authentication attempts.
$header
$header
Definition: updateCredits.php:37
MediaWiki\HeaderCallback
Definition: HeaderCallback.php:8
WebRequest\getRequestId
static getRequestId()
Get the unique request ID.
Definition: WebRequest.php:328
WebRequest\getGlobalRequestURL
static getGlobalRequestURL()
Return the path and query string portion of the main request URI.
Definition: WebRequest.php:908
MWDebug\warning
static warning( $msg, $callerOffset=1, $level=E_USER_NOTICE, $log='auto')
Adds a warning entry to the log.
Definition: MWDebug.php:180
wfGetCaller
wfGetCaller( $level=2)
Get the name of the function which called this function wfGetCaller( 1 ) is the function with the wfG...
Definition: GlobalFunctions.php:1407
MediaWiki\HeaderCallback\$headersSentException
static $headersSentException
Definition: HeaderCallback.php:9
MediaWiki\HeaderCallback\warnIfHeadersSent
static warnIfHeadersSent()
Log a warning message if headers have already been sent.
Definition: HeaderCallback.php:85