Merge "API: Remove unused "non-whitelisted CORS origin" log"
This commit is contained in:
jenkins-bot
Gerrit Code Review
commit
c57205f452
2 changed files with 0 additions and 52 deletions
|
|
@ -197,37 +197,6 @@ class ApiMain extends ApiBase {
|
|||
$config = $this->getConfig();
|
||||
|
||||
if ( !$this->mInternalMode ) {
|
||||
// Log if a request with a non-whitelisted Origin header is seen
|
||||
// with session cookies.
|
||||
$originHeader = $request->getHeader( 'Origin' );
|
||||
if ( $originHeader === false ) {
|
||||
$origins = [];
|
||||
} else {
|
||||
$originHeader = trim( $originHeader );
|
||||
$origins = preg_split( '/\s+/', $originHeader );
|
||||
}
|
||||
$sessionCookies = array_intersect(
|
||||
array_keys( $_COOKIE ),
|
||||
SessionManager::singleton()->getVaryCookies()
|
||||
);
|
||||
if ( $origins && $sessionCookies && (
|
||||
count( $origins ) !== 1 || !self::matchOrigin(
|
||||
$origins[0],
|
||||
$config->get( 'CrossSiteAJAXdomains' ),
|
||||
$config->get( 'CrossSiteAJAXdomainExceptions' )
|
||||
)
|
||||
) ) {
|
||||
LoggerFactory::getInstance( 'cors' )->warning(
|
||||
'Non-whitelisted CORS request with session cookies', [
|
||||
'origin' => $originHeader,
|
||||
'cookies' => $sessionCookies,
|
||||
'ip' => $request->getIP(),
|
||||
'userAgent' => $this->getUserAgent(),
|
||||
'wiki' => WikiMap::getCurrentWikiDbDomain()->getId(),
|
||||
]
|
||||
);
|
||||
}
|
||||
|
||||
// If we're in a mode that breaks the same-origin policy, strip
|
||||
// user credentials for security.
|
||||
if ( $this->lacksSameOriginSecurity() ) {
|
||||
|
|
|
|||
|
|
@ -79,27 +79,6 @@ class ApiMainTest extends ApiTestCase {
|
|||
$this->assertSame( 'fr', $wgLang->getCode() );
|
||||
}
|
||||
|
||||
public function testNonWhitelistedCorsWithCookies() {
|
||||
$logFile = $this->getNewTempFile();
|
||||
|
||||
$this->mergeMwGlobalArrayValue( '_COOKIE', [ 'forceHTTPS' => '1' ] );
|
||||
$logger = new TestLogger( true );
|
||||
$this->setLogger( 'cors', $logger );
|
||||
|
||||
$api = $this->getNonInternalApiMain( [
|
||||
'action' => 'query',
|
||||
'meta' => 'siteinfo',
|
||||
// For some reason multiple origins (which are not allowed in the
|
||||
// WHATWG Fetch spec that supersedes the RFC) are always considered to
|
||||
// be problematic.
|
||||
], [ 'ORIGIN' => 'https://www.example.com https://www.com.example' ] );
|
||||
|
||||
$this->assertSame(
|
||||
[ [ Psr\Log\LogLevel::WARNING, 'Non-whitelisted CORS request with session cookies' ] ],
|
||||
$logger->getBuffer()
|
||||
);
|
||||
}
|
||||
|
||||
public function testSuppressedLogin() {
|
||||
global $wgUser;
|
||||
$origUser = $wgUser;
|
||||
|
|
|
|||
Loading…
Reference in a new issue