https://bz.apache.org/bugzilla/show_bug.cgi?id=60212
Bug ID: 60212
Summary: Cached Location/Content-Location URIs are not properly
invalidated
Product: Apache httpd-2
Version: 2.4.23
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_cache
Assignee: [email protected]
Reporter: [email protected]
RFC 7234 requires the following:
A cache MUST invalidate the effective Request URI (Section 5.5 of
[RFC7230]) as well as the URI(s) in the Location and Content-Location
response header fields (if present) when a non-error status code is
received in response to an unsafe request method.
However, a cache MUST NOT invalidate a URI from a Location or
Content-Location response header field if the host part of that URI
differs from the host part in the effective request URI (Section 5.5
of [RFC7230]). This helps prevent denial-of-service attacks.
The code put in place to do the Location/Content-Location invalidation doesn't
appear to work properly, though. It has two problems that I can see:
1) The Location/Content-Location header value is passed directly to
cache_canonicalise_key, but that function expects a URI path, not an absolute
URI (which Location is required to be, and Content-Location *may* be). This
results in a useless cache key (e.g.
"http://example.com:80http://example.com/path/to/resource";).
2) The check for identical host parts always seems to fail, since
r->parsed_uri.hostname is always NULL in my testing. This ensures that no
invalidation is ever run. Perhaps we should be using the server hostname
instead (possibly as defined by the CacheKeyBaseURL, or else
ap_get_server_name())?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
