Steps to replicate the issue:
Execute
curl -is 'https://www.mediawiki.org/w/api.php?action=query&format=json&maxage=-42' | grep -i cache-control
with a negative integer in the URL parameter maxage.
What happens?:
The result is
cache-control: s-maxage=0, max-age=-42, public
with a negative value in the attribute max-age of the HTTP header field Cache-Control.
What should have happened instead?:
According to https://www.rfc-editor.org/rfc/rfc9111.html#delta-seconds the value in the attribute max-age of the HTTP header field Cache-Control must be a non-negative integer:
The delta-seconds rule specifies a non-negative integer, representing time in seconds.
delta-seconds = 1*DIGIT
The URL parameter maxage with a negative integer should be ignored like other invalid values or omitted parameter:
$ curl -is 'https://www.mediawiki.org/w/api.php?action=query&format=json&maxage=foo' | grep -i cache-control cache-control: private, must-revalidate, max-age=0 $ curl -is 'https://www.mediawiki.org/w/api.php?action=query&format=json&maxage=3.14' | grep -i cache-control cache-control: private, must-revalidate, max-age=0 $ curl -is 'https://www.mediawiki.org/w/api.php?action=query&format=json' | grep -i cache-control cache-control: private, must-revalidate, max-age=0
and only non-negative integers should be accepted like:
$ curl -is 'https://www.mediawiki.org/w/api.php?action=query&format=json&maxage=42' | grep -i cache-control cache-control: s-maxage=0, max-age=42, public