For MediaWiki (recent comments | status changes | tags | authors | states | release notes | statistics)
Index: trunk/phase3/includes/DefaultSettings.php =================================================================== --- trunk/phase3/includes/DefaultSettings.php (revision 55631) +++ trunk/phase3/includes/DefaultSettings.php (revision 55632) @@ -3823,6 +3823,12 @@ $wgAPIMaxUncachedDiffs = 1; /** + * Log file or URL (TCP or UDP) to log API requests to, or false to disable + * API request logging + */ +$wgAPIRequestLog = false; + +/** * Parser test suite files to be run by parserTests.php when no specific * filename is passed to it. * Index: trunk/phase3/api.php =================================================================== --- trunk/phase3/api.php (revision 55631) +++ trunk/phase3/api.php (revision 55632) @@ -38,6 +38,7 @@ require (dirname(__FILE__) . '/includes/WebStart.php'); wfProfileIn('api.php'); +$starttime = microtime( true ); // URL safety checks // @@ -118,9 +119,21 @@ wfDoUpdates(); // Log what the user did, for book-keeping purposes. +$endtime = microtime( true ); wfProfileOut('api.php'); wfLogProfilingData(); +// Log the request +if ( $wgAPIRequestLog ) { + wfErrorLog( implode( ',', array( + wfTimestamp( TS_MW ), + $endtime - $starttime, + wfGetIP(), + wfArrayToCGI( $wgRequest->getValues() ) + ) ) . "\n", $wgAPIRequestLog ); + wfDebug( "Logged API request to $wgAPIRequestLog\n" ); +} + // Shut down the database wfGetLBFactory()->shutdown();
This'll include all GET and POST parameters including username and password for API logins, and edit tokens. Serious privacy breech. :)
Does not block deployment, as it will be deactivated on Wikimedia.
Fixed in r55643
