BBlack has submitted this change and it was merged. Change subject: Read values inbound in X-Analytics header (pageview and preview) ......................................................................
Read values inbound in X-Analytics header (pageview and preview) We want to take advantage of clients being able to set values inbound into X-Analytics header. Reading any key/value pairs on header and passing those along seems that could be error prone and open varnish code to attacks, thus we whitelist specific headers. This strategy works well for now since the headers we allow can only have one possible value. See: https://wikitech.wikimedia.org/wiki/X-Analytics Bug: T133204 Change-Id: I267689653f590ef57c6fce6963002588b8ce4474 --- M templates/varnish/analytics.inc.vcl.erb 1 file changed, 14 insertions(+), 0 deletions(-) Approvals: BBlack: Verified; Looks good to me, approved diff --git a/templates/varnish/analytics.inc.vcl.erb b/templates/varnish/analytics.inc.vcl.erb index fa2bd78..eaacc9f 100644 --- a/templates/varnish/analytics.inc.vcl.erb +++ b/templates/varnish/analytics.inc.vcl.erb @@ -166,6 +166,20 @@ call analytics_last_access_deliver_; call analytics_provenance_deliver_; + # We check allowed values inbound in X-Analytics header + # + # At this time there are only two values we let clients send: + # pageview=1 and preview=1 and they are mutually exclusive + # https://wikitech.wikimedia.org/wiki/X-Analytics#Keys + + # Any value that we decide clients can send in the future should be + # whitelisted here + if (req.http.X-Analytics ~ "(^|;)pageview=1(;|$)") { + set resp.http.X-Analytics = resp.http.X-Analytics + ";pageview=1"; + } else if (req.http.X-Analytics ~ "(^|;)preview=1(;|$)") { + set resp.http.X-Analytics = resp.http.X-Analytics + ";preview=1"; + } + if (req.http.X-Carrier) { set resp.http.X-Analytics = resp.http.X-Analytics + ";zero=" + req.http.X-Carrier; if (req.http.X-Carrier-Meta) { -- To view, visit https://gerrit.wikimedia.org/r/285051 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I267689653f590ef57c6fce6963002588b8ce4474 Gerrit-PatchSet: 6 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Nuria <[email protected]> Gerrit-Reviewer: BBlack <[email protected]> Gerrit-Reviewer: Ema <[email protected]> Gerrit-Reviewer: Nuria <[email protected]> Gerrit-Reviewer: Ottomata <[email protected]> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
