MediaWiki  master
HeaderCallback.php
Go to the documentation of this file.
1 <?php
2 
3 namespace MediaWiki;
4 
9  private static $headersSentException;
10  private static $messageSent = false;
11 
19  public static function register() {
20  header_register_callback( [ __CLASS__, 'callback' ] );
21  }
22 
28  public static function callback() {
29  // Prevent caching of responses with cookies (T127993)
30  $headers = [];
31  foreach ( headers_list() as $header ) {
32  $header = explode( ':', $header, 2 );
33 
34  // Note: The code below (currently) does not care about value-less headers
35  if ( isset( $header[1] ) ) {
36  $headers[ strtolower( trim( $header[0] ) ) ][] = trim( $header[1] );
37  }
38  }
39 
40  if ( isset( $headers['set-cookie'] ) ) {
41  $cacheControl = isset( $headers['cache-control'] )
42  ? implode( ', ', $headers['cache-control'] )
43  : '';
44 
45  if ( !preg_match( '/(?:^|,)\s*(?:private|no-cache|no-store)\s*(?:$|,)/i',
46  $cacheControl )
47  ) {
48  header( 'Expires: Thu, 01 Jan 1970 00:00:00 GMT' );
49  header( 'Cache-Control: private, max-age=0, s-maxage=0' );
50  \MediaWiki\Logger\LoggerFactory::getInstance( 'cache-cookies' )->warning(
51  'Cookies set on {url} with Cache-Control "{cache-control}"', [
53  'set-cookie' => self::sanitizeSetCookie( $headers['set-cookie'] ),
54  'cache-control' => $cacheControl ?: '<not set>',
55  ]
56  );
57  }
58  }
59 
60  // Set the request ID on the response, so edge infrastructure can log it.
61  // FIXME this is not an ideal place to do it, but the most reliable for now.
62  if ( !isset( $headers['x-request-id'] ) ) {
63  header( 'X-Request-Id: ' . \WebRequest::getRequestId() );
64  }
65 
66  // Save a backtrace for logging in case it turns out that headers were sent prematurely
67  self::$headersSentException = new \Exception( 'Headers already sent from this point' );
68  }
69 
76  public static function warnIfHeadersSent() {
77  if ( headers_sent() && !self::$messageSent ) {
78  self::$messageSent = true;
79  \MWDebug::warning( 'Headers already sent, should send headers earlier than ' .
80  wfGetCaller( 3 ) );
81  $logger = \MediaWiki\Logger\LoggerFactory::getInstance( 'headers-sent' );
82  $logger->error( 'Warning: headers were already sent from the location below', [
83  'exception' => self::$headersSentException,
84  'detection-trace' => new \Exception( 'Detected here' ),
85  ] );
86  }
87  }
88 
94  public static function sanitizeSetCookie( array $values ) {
95  $sanitizedValues = [];
96  foreach ( $values as $value ) {
97  // Set-Cookie header format: <cookie-name>=<cookie-value>; <non-sensitive attributes>
98  $parts = explode( ';', $value );
99  list( $name, $value ) = explode( '=', $parts[0], 2 );
100  if ( strlen( $value ) > 8 ) {
101  $value = substr( $value, 0, 8 ) . '...';
102  $parts[0] = "$name=$value";
103  }
104  $sanitizedValues[] = implode( ';', $parts );
105  }
106  return implode( "\n", $sanitizedValues );
107  }
108 }
MediaWiki\HeaderCallback\callback
static callback()
The callback, which is called by the transport.
Definition: HeaderCallback.php:28
MediaWiki\Logger\LoggerFactory\getInstance
static getInstance( $channel)
Get a named logger instance from the currently configured logger factory.
Definition: LoggerFactory.php:92
MediaWiki\HeaderCallback\sanitizeSetCookie
static sanitizeSetCookie(array $values)
Sanitize Set-Cookie headers for logging.
Definition: HeaderCallback.php:94
MediaWiki
A helper class for throttling authentication attempts.
$header
$header
Definition: updateCredits.php:41
MediaWiki\HeaderCallback
Definition: HeaderCallback.php:8
WebRequest\getRequestId
static getRequestId()
Get the unique request ID.
Definition: WebRequest.php:327
WebRequest\getGlobalRequestURL
static getGlobalRequestURL()
Return the path and query string portion of the main request URI.
Definition: WebRequest.php:907
MWDebug\warning
static warning( $msg, $callerOffset=1, $level=E_USER_NOTICE, $log='auto')
Adds a warning entry to the log.
Definition: MWDebug.php:180
wfGetCaller
wfGetCaller( $level=2)
Get the name of the function which called this function wfGetCaller( 1 ) is the function with the wfG...
Definition: GlobalFunctions.php:1390
MediaWiki\HeaderCallback\$headersSentException
static $headersSentException
Definition: HeaderCallback.php:9
MediaWiki\HeaderCallback\warnIfHeadersSent
static warnIfHeadersSent()
Log a warning message if headers have already been sent.
Definition: HeaderCallback.php:76