httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Plüm, Rüdiger, VF-Group <ruediger.pl...@vodafone.com>
Subject Re: cache - cleaning up mod_memcache and making other caches their live easier
Date Mon, 11 Feb 2008 11:58:13 GMT
 

> -----Ursprüngliche Nachricht-----
> Von: Dirk-Willem van Gulik 
> Gesendet: Montag, 11. Februar 2008 01:22
> An: dev@httpd.apache.org
> Betreff: Re: cache - cleaning up mod_memcache and making 
> other caches their live easier
> 

> >
> > I currently do not understand your worries here. Could you please  
> > explain this
> > in more detail?
> 
> Right now we simply concatenate values without any 
> 'separator'. So by  
> for example playing with the User-Agent - adding/prefixing another  
> Vary value - you could perhaps fool us in thinking that another  
> header was set - which was not set at all. I.e. with:
> 
> 	Vary: Content-Language User-Agent
> 
> and a value on disk of
> 
> 	EnMozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; 
> rv:1.8.1.4)  
> Gecko/20070515 Firefox/2.0.0.4
> 
> then the question is did I pass
> 
> 	GET / HTTP/1.0
> 	User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; 
> en-US; rv: 
> 1.8.1.4) Gecko/20070515 Firefox/2.0.0.4
> 	Accept-Language; en
> 	Host : foo
> 
> or
> 
> 	GET / HTTP/1.0
> 	User-Agent: EnMozilla/5.0 (Macintosh; U; Intel Mac OS 
> X; en-US; rv: 
> 1.8.1.4) Gecko/20070515 Firefox/2.0.0.4
> 	Foo
> 
> or something along those lines. Not sure how bad this is -- but I've  
> been bitten by things like this in the past. What I worry about is  
> that a clever user can get something out of the cache we did 
> not expect.
> 
> Or am I way off here ?

Thanks for explaining.
The contents of the cache is not protected by any means. So I do not
see a security issue here. Somemone who has access to one cache entity
has access to all.
This doesn't mean that a separator is unneeded, but currently I for myself
see no need for it.

Regards

Rüdiger


Mime
View raw message