The 'WebResponseSetCookie' hook is allowed to alter the data for the
cookie being set. We need to actually use those altered values, rather
than setting $cookie and $data earlier in the function.
Bug: T198525
Change-Id: Ia817e3dc5ce17fdcf5057ee5fcb6980baa1333d6
When jobs are being run synchronously post-send, we don't want to allow
bugs to result in a job somehow setting cookies or headers that
interfere with those that were intended to be set in the request.
Bug: T191537
Change-Id: Ib5714a17af417797140f99e41eaacbba1bfd20f4
Install the backtrace collector very early, so that we can get the
backtrace even if headers were sent from LocalSettings.php.
Bug: T157392
Change-Id: I9bc732b34481c95afb5362e135a87bd4302498e2
This is to fix incorrect calls of header () with null as its third parametre
in WebResponse::header ().
Under HHVM 3.14.3 this causes warnings in error.log and breaks saving page
and user login.
Bug: T140864
Change-Id: I98291e2746e92e22672de077bccfb36ae91d2c62
Output cache-control headers that disable intermediate caching even if
OutputPage->mEnableClientCache is true when the response includes
set-cookie headers as well. This change mirrors logic that has been in
use on the Wikimedia Foundation production cluster's Varnish cache
system for over 2 years to guard against accidentally caching backend
responses which include Set-Cookie headers.
Co-Author: Max Semenik <maxsem.wiki@gmail.com>
Bug: T127993
Change-Id: I1a0d38a5b9dba754b91a7832371b3dc0df51bd5a
Pass the cookie options by value to WebResponseSetCookie handlers so
that they may alter them.
Bug: T49647
Change-Id: I69ae55baa7806f14726b0b08215c0df471794b39
There's no reason this should be only in CookieSessionProvider when
we're already handling deduplication in WebResponse.
Further, this fixes the bug in the existing CookieSessionProvider
implementation that a setCookie() followed by a clearCookie() wouldn't
actually clear the cookie.
This reverts commit 1ce684fcef.
Bug: T124252
Change-Id: I1098d054facacd59f03ebed7c747ec9ff6bf66e7
Depends-On: I61d14bf80fa7c857dec9cffb366dc3f84dbb4faf
SessionManager is a general-purpose session management framework, rather
than the cookie-based sessions that PHP wants to provide us.
While fallback is provided for using $_SESSION and other PHP session
management functions, they should be avoided in favor of using
SessionManager directly.
For proof-of-concept extensions, see OAuth change Ib40b221 and
CentralAuth change I27ccabdb.
Bug: T111296
Change-Id: Ic1ffea74f3ccc8f93c8a23b795ecab6f06abca72
We have this nice class for unit testing cookie-setting, but the
cookie-setting method ignores all the parameters! Fix that. Also provide
accessors to check the entire set of cookie data, and the set cookies as
a whole.
While this does change the semantics of FauxRequest::getcookie() in that
the name now needs to be prefixed, no extension in Gerrit uses this
method so we should be fine.
Also clean up the case of the setCookie and getCookie methods while
we're at it. Since PHP method names are case-insensitive, this doesn't
even break compatibility with extensions.
Change-Id: Ib44a074bf9796bc0b470d557e39465792f399d30
* Convert existing use of WebResponse::header() for HTTP status headers
to use this new statusHeader() method.
* Extend unit test forFauxResponse.
I'm not calling HttpStatus::header directly in code. We keep the abstraction
layer of WebResponse so that responses can continue to be mocked/fauxed without
affecting the outer HTTP response.
Change-Id: I8a536e16659fa88b54cffa1457efb889efa5fcd6
This is a direct follow-up for the question raised in Ifab16c2.
Null is not a meaningful value in this case. As far as I can see the
only reason it was added was to make the parameter optional. Optional
array parameters are better marked with "= array()".
Change-Id: I86965d390fdb718de7fb81a9f4c48b2261c16aa9
- Swap "$variable type" to "type $variable"
- Added missing types
- Fixed spacing inside docs
- Makes beginning of @param/@return/@var/@throws in capital
- Changed some types to match the more common spelling
Change-Id: I783e4dbfe5f6f98b32b9a03ccf6439e13e132bcc
Swapped some "$var type" to "type $var" or added missing types
before the $var. Changed some other types to match the more common
spelling. Makes beginning of some text in captial.
Change-Id: I64e8cfe478cb0ba438f40b0631d6e9049cdab567
This hack was added in r34083 / 6b16f44108 to support IE for Mac.
That browser is no longer supported, and no additional user-agent
strings have been added in WMF configuration.
Change-Id: Iffba121a9964e2ad387fad8827ddfd8dabcbd12e
Various bits of code are not using this because it doesn't support
various use cases, e.g. session cookies, httpOnly, custom paths, etc.
Refactor it to add all those options. Also add a hook so extensions can
override the setting of the cookie.
Change-Id: Ia0c424a48d9455a8574d91631cde0f00c9882288
When $wgCookieExpiration is set to 0, cookies should
by default expire when the browser closes. However,
MediaWiki accidentally interpreted this as the cookies
expiring 0 seconds from the request time.
Bug: 47886
Change-Id: Ib988ad18574122a56b0d11c8888c7c41d94dea6e
HTTP headers are case insensitive per spec, and WebRequest
treats them like that, so FauxRequest should too.
Change-Id: I4257af7a8de2792ac556c670dcc7f28e4af4cb44
Doxygen expects parameter types to come before the
parameter name in @param tags. Used a quick regex
to switch everything around where possible. This
only fixes cases where a primitve variable (or a
primitive followed by other types) is the variable
type. Other cases will need to be fixed manually.
Change-Id: Ic59fd20856eb0489d70f3469a56ebce0efb3db13
The conditional is nominally more performant and considerably more readable
with its constituents flipped. Also adds an explanatory note. Prompted by
confusion over change Ie89507f8e98c365df9d93a7633223103b9025790.
Change-Id: I2d3db63bdbcebe0fd59c063c9f371362c9d07f91
* @licence -> @license
* Protects inline HTML by using double quotes, our inline comments uses
elements such as <h1> or <firstnameLastname@gmail.com>
* Commands in lowercase (@TODO -> @todo, @NOTE -> @note)
* removes @abstract and @static since doxygen detects them from PHP
code.
* various undocumented function parameters
* typos in parameters declarations
Change-Id: I62ad6fc124c355bf31acc780b9614a59cf79a421
Sets a cookie on user login (removed on logout) if wpStickHTTPS
was checked, which causes the browser to get a redirect if they
visit the HTTP version of the site.
Change-Id: I60f44a1062a93d15198edae6674bb3310a148b2d
* Added HTTP response code parsing (sending a "HTTP/1.x code" header was throwing a NOTICE about undefined index on the result of the explode() call) and storage; added FauxResponse::getStatusCode() to retrieve it
* Add append() method to FileRepo classes to enable chunked uploading
* Change chunksessionkey to chunksession
* Remove echo json stuff
* Fix a multitude of bugs in my own code
* still to test: mwEmbed use of chunked upload
Session id is used by client request to specify its login data from cookie, so the session data, by extensions, is like a sort of request parameter. Also, WebResponse.php seems to be used for data actually sent to the client, like requested cookies.
