> -----Ursprüngliche Nachricht----- > Von: Dirk-Willem van Gulik > Gesendet: Montag, 11. Februar 2008 01:22 > An: [email protected] > Betreff: Re: cache - cleaning up mod_memcache and making > other caches their live easier >
> > > > I currently do not understand your worries here. Could you please > > explain this > > in more detail? > > Right now we simply concatenate values without any > 'separator'. So by > for example playing with the User-Agent - adding/prefixing another > Vary value - you could perhaps fool us in thinking that another > header was set - which was not set at all. I.e. with: > > Vary: Content-Language User-Agent > > and a value on disk of > > EnMozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; > rv:1.8.1.4) > Gecko/20070515 Firefox/2.0.0.4 > > then the question is did I pass > > GET / HTTP/1.0 > User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; > en-US; rv: > 1.8.1.4) Gecko/20070515 Firefox/2.0.0.4 > Accept-Language; en > Host : foo > > or > > GET / HTTP/1.0 > User-Agent: EnMozilla/5.0 (Macintosh; U; Intel Mac OS > X; en-US; rv: > 1.8.1.4) Gecko/20070515 Firefox/2.0.0.4 > Foo > > or something along those lines. Not sure how bad this is -- but I've > been bitten by things like this in the past. What I worry about is > that a clever user can get something out of the cache we did > not expect. > > Or am I way off here ? Thanks for explaining. The contents of the cache is not protected by any means. So I do not see a security issue here. Somemone who has access to one cache entity has access to all. This doesn't mean that a separator is unneeded, but currently I for myself see no need for it. Regards Rüdiger
