diff options
author | root <root@luna.archlinux.org> | 2016-05-21 06:38:45 +0000 |
---|---|---|
committer | root <root@luna.archlinux.org> | 2016-05-21 06:38:45 +0000 |
commit | b88e92b7f0ce508c55de8c6ac5159ef544d480be (patch) | |
tree | 86b188507543d2670b7ada1caa8f1139d3d5abe9 /includes/api/ApiMain.php | |
parent | a2bbd243c85ea0e425ee3e8c380aba9f254cee61 (diff) | |
parent | 7bf2eb8ba09b54cec804446ea39a3e658773fac9 (diff) |
Merge branch 'master' of https://git.archlinux.org/vhosts/wiki.archlinux.org
Diffstat (limited to 'includes/api/ApiMain.php')
-rw-r--r-- | includes/api/ApiMain.php | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php index d943c86b..1f0aebb6 100644 --- a/includes/api/ApiMain.php +++ b/includes/api/ApiMain.php @@ -145,6 +145,9 @@ class ApiMain extends ApiBase { private $mCacheControl = array(); private $mParamsUsed = array(); + /** @var bool|null Cached return value from self::lacksSameOriginSecurity() */ + private $lacksSameOriginSecurity = null; + /** * Constructs an instance of ApiMain that utilizes the module and format specified by $request. * @@ -243,6 +246,36 @@ class ApiMain extends ApiBase { } /** + * Get the security flag for the current request + * @return bool + */ + public function lacksSameOriginSecurity() { + if ( $this->lacksSameOriginSecurity !== null ) { + return $this->lacksSameOriginSecurity; + } + + $request = $this->getRequest(); + + // JSONP mode + if ( $request->getVal( 'callback' ) !== null ) { + $this->lacksSameOriginSecurity = true; + return true; + } + + // Header to be used from XMLHTTPRequest when the request might + // otherwise be used for XSS. + if ( $request->getHeader( 'Treat-as-Untrusted' ) !== false ) { + $this->lacksSameOriginSecurity = true; + return true; + } + + // Allow extensions to override. + $this->lacksSameOriginSecurity = !Hooks::run( 'RequestHasSameOriginSecurity', array( $request ) ); + return $this->lacksSameOriginSecurity; + } + + + /** * Get the ApiErrorFormatter object associated with current request * @return ApiErrorFormatter */ @@ -717,6 +750,8 @@ class ApiMain extends ApiBase { $response = $this->getRequest()->response(); $out = $this->getOutput(); + $out->addVaryHeader( 'Treat-as-Untrusted' ); + $config = $this->getConfig(); if ( $config->get( 'VaryOnXFP' ) ) { |