From 7bf2eb8ba09b54cec804446ea39a3e658773fac9 Mon Sep 17 00:00:00 2001 From: Pierre Schmitz Date: Sat, 21 May 2016 08:33:14 +0200 Subject: Update to MediaWiki 1.26.3 --- includes/api/ApiMain.php | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) (limited to 'includes/api/ApiMain.php') diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php index d943c86b..1f0aebb6 100644 --- a/includes/api/ApiMain.php +++ b/includes/api/ApiMain.php @@ -145,6 +145,9 @@ class ApiMain extends ApiBase { private $mCacheControl = array(); private $mParamsUsed = array(); + /** @var bool|null Cached return value from self::lacksSameOriginSecurity() */ + private $lacksSameOriginSecurity = null; + /** * Constructs an instance of ApiMain that utilizes the module and format specified by $request. * @@ -242,6 +245,36 @@ class ApiMain extends ApiBase { return $this->mResult; } + /** + * Get the security flag for the current request + * @return bool + */ + public function lacksSameOriginSecurity() { + if ( $this->lacksSameOriginSecurity !== null ) { + return $this->lacksSameOriginSecurity; + } + + $request = $this->getRequest(); + + // JSONP mode + if ( $request->getVal( 'callback' ) !== null ) { + $this->lacksSameOriginSecurity = true; + return true; + } + + // Header to be used from XMLHTTPRequest when the request might + // otherwise be used for XSS. + if ( $request->getHeader( 'Treat-as-Untrusted' ) !== false ) { + $this->lacksSameOriginSecurity = true; + return true; + } + + // Allow extensions to override. + $this->lacksSameOriginSecurity = !Hooks::run( 'RequestHasSameOriginSecurity', array( $request ) ); + return $this->lacksSameOriginSecurity; + } + + /** * Get the ApiErrorFormatter object associated with current request * @return ApiErrorFormatter @@ -717,6 +750,8 @@ class ApiMain extends ApiBase { $response = $this->getRequest()->response(); $out = $this->getOutput(); + $out->addVaryHeader( 'Treat-as-Untrusted' ); + $config = $this->getConfig(); if ( $config->get( 'VaryOnXFP' ) ) { -- cgit v1.2.2