From 43b2693a3359a190a32a69934ef72305ae9f8849 Mon Sep 17 00:00:00 2001 From: Brad Jorsch Date: Tue, 14 Jun 2016 12:15:40 -0400 Subject: [PATCH] API: Log non-whitelisted CORS requests with session cookies As requested in T62835#1794915, this logs requests that have an Origin header that isn't whitelisted and have "session" cookies (defined as "cookies that SessionManager says to vary on"). Change-Id: I3e34ff1e3a0a3f63c709ee95aa5cf8309fbc4367 --- includes/api/ApiMain.php | 46 ++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 38 insertions(+), 8 deletions(-) diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php index ce9587f399e..43cc08821f6 100644 --- a/includes/api/ApiMain.php +++ b/includes/api/ApiMain.php @@ -171,22 +171,53 @@ class ApiMain extends ApiBase { if ( isset( $request ) ) { $this->getContext()->setRequest( $request ); + } else { + $request = $this->getRequest(); } - $this->mInternalMode = ( $this->getRequest() instanceof FauxRequest ); + $this->mInternalMode = ( $request instanceof FauxRequest ); // Special handling for the main module: $parent === $this parent::__construct( $this, $this->mInternalMode ? 'main_int' : 'main' ); + $config = $this->getConfig(); + if ( !$this->mInternalMode ) { - // Impose module restrictions. - // If the current user cannot read, - // Remove all modules other than login - global $wgUser; + // Log if a request with a non-whitelisted Origin header is seen + // with session cookies. + $originHeader = $request->getHeader( 'Origin' ); + if ( $originHeader === false ) { + $origins = []; + } else { + $originHeader = trim( $originHeader ); + $origins = preg_split( '/\s+/', $originHeader ); + } + $sessionCookies = array_intersect( + array_keys( $_COOKIE ), + MediaWiki\Session\SessionManager::singleton()->getVaryCookies() + ); + if ( $origins && $sessionCookies && ( + count( $origins ) !== 1 || !self::matchOrigin( + $origins[0], + $config->get( 'CrossSiteAJAXdomains' ), + $config->get( 'CrossSiteAJAXdomainExceptions' ) + ) + ) ) { + MediaWiki\Logger\LoggerFactory::getInstance( 'cors' )->warning( + 'Non-whitelisted CORS request with session cookies', [ + 'origin' => $originHeader, + 'cookies' => $sessionCookies, + 'ip' => $request->getIP(), + 'userAgent' => $this->getUserAgent(), + 'wiki' => wfWikiID(), + ] + ); + } + // If we're in a mode that breaks the same-origin policy, strip + // user credentials for security. if ( $this->lacksSameOriginSecurity() ) { - // If we're in a mode that breaks the same-origin policy, strip - // user credentials for security. + global $wgUser; wfDebug( "API: stripping user credentials when the same-origin policy is not applied\n" ); $wgUser = new User(); $this->getContext()->setUser( $wgUser ); @@ -211,7 +242,6 @@ class ApiMain extends ApiBase { } } - $config = $this->getConfig(); $this->mModuleMgr = new ApiModuleManager( $this ); $this->mModuleMgr->addModules( self::$Modules, 'action' ); $this->mModuleMgr->addModules( $config->get( 'APIModules' ), 'action' ); -- 2.11.4.GIT