MediaWiki  master
HeaderCallback.php
Go to the documentation of this file.
1 <?php
2 
3 namespace MediaWiki\Request;
4 
9  private static $headersSentException;
10  private static $messageSent = false;
11 
19  public static function register() {
20  // T261260 load the WebRequest class, which will be needed in callback().
21  // Autoloading seems unreliable in header callbacks, and in the case of a web
22  // request (ie. in all cases where the request might be performance-sensitive)
23  // it will have to be loaded at some point anyway.
24  // This can be removed once we require PHP 8.0+.
25  class_exists( \WebRequest::class );
26 
27  header_register_callback( [ __CLASS__, 'callback' ] );
28  }
29 
35  public static function callback() {
36  // Prevent caching of responses with cookies (T127993)
37  $headers = [];
38  foreach ( headers_list() as $header ) {
39  $header = explode( ':', $header, 2 );
40 
41  // Note: The code below (currently) does not care about value-less headers
42  if ( isset( $header[1] ) ) {
43  $headers[ strtolower( trim( $header[0] ) ) ][] = trim( $header[1] );
44  }
45  }
46 
47  if ( isset( $headers['set-cookie'] ) ) {
48  $cacheControl = isset( $headers['cache-control'] )
49  ? implode( ', ', $headers['cache-control'] )
50  : '';
51 
52  if ( !preg_match( '/(?:^|,)\s*(?:private|no-cache|no-store)\s*(?:$|,)/i',
53  $cacheControl )
54  ) {
55  header( 'Expires: Thu, 01 Jan 1970 00:00:00 GMT' );
56  header( 'Cache-Control: private, max-age=0, s-maxage=0' );
57  \MediaWiki\Logger\LoggerFactory::getInstance( 'cache-cookies' )->warning(
58  'Cookies set on {url} with Cache-Control "{cache-control}"', [
60  'set-cookie' => self::sanitizeSetCookie( $headers['set-cookie'] ),
61  'cache-control' => $cacheControl ?: '<not set>',
62  ]
63  );
64  }
65  }
66 
67  // Set the request ID on the response, so edge infrastructure can log it.
68  // FIXME this is not an ideal place to do it, but the most reliable for now.
69  if ( !isset( $headers['x-request-id'] ) ) {
70  header( 'X-Request-Id: ' . \WebRequest::getRequestId() );
71  }
72 
73  // Save a backtrace for logging in case it turns out that headers were sent prematurely
74  self::$headersSentException = new \Exception( 'Headers already sent from this point' );
75  }
76 
83  public static function warnIfHeadersSent() {
84  if ( headers_sent() && !self::$messageSent ) {
85  self::$messageSent = true;
86  \MWDebug::warning( 'Headers already sent, should send headers earlier than ' .
87  wfGetCaller( 3 ) );
88  $logger = \MediaWiki\Logger\LoggerFactory::getInstance( 'headers-sent' );
89  $logger->error( 'Warning: headers were already sent from the location below', [
90  'exception' => self::$headersSentException,
91  'detection-trace' => new \Exception( 'Detected here' ),
92  ] );
93  }
94  }
95 
101  public static function sanitizeSetCookie( array $values ) {
102  $sanitizedValues = [];
103  foreach ( $values as $value ) {
104  // Set-Cookie header format: <cookie-name>=<cookie-value>; <non-sensitive attributes>
105  $parts = explode( ';', $value );
106  [ $name, $value ] = explode( '=', $parts[0], 2 );
107  if ( strlen( $value ) > 8 ) {
108  $value = substr( $value, 0, 8 ) . '...';
109  $parts[0] = "$name=$value";
110  }
111  $sanitizedValues[] = implode( ';', $parts );
112  }
113  return implode( "\n", $sanitizedValues );
114  }
115 }
116 
117 class_alias( HeaderCallback::class, 'MediaWiki\\HeaderCallback' );
wfGetCaller( $level=2)
Get the name of the function which called this function wfGetCaller( 1 ) is the function with the wfG...
static warning( $msg, $callerOffset=1, $level=E_USER_NOTICE, $log='auto')
Adds a warning entry to the log.
Definition: MWDebug.php:184
static getInstance( $channel)
Get a named logger instance from the currently configured logger factory.
static warnIfHeadersSent()
Log a warning message if headers have already been sent.
static sanitizeSetCookie(array $values)
Sanitize Set-Cookie headers for logging.
static callback()
The callback, which is called by the transport.
static getRequestId()
Get the current request ID.
Definition: WebRequest.php:344
static getGlobalRequestURL()
Return the path and query string portion of the main request URI.
Definition: WebRequest.php:921
$header