I am not just speaking for us. (we didn't report some of the issues because of the seemingly lack of interest). I also don't think it is just about us, I know a lot of people front web (word press, drupal, etc) farms with varnish. Where someone could change a header but not generate 1TB objects.
And previously, you have not considered these a problem at all. If you are fronting a website that you completely own, and you have 300 developers working on it. It isn't entirely unlikely one of them will forget a , in a vary. And boom your varnish is gone. Or god forbid some funny person sets a response code over 999. (oh is that new disclosure?) I've argued many times: Asserting on user input from the network should not be done, it is bad form and sloppy. EOM ------Original Message------ From: Poul-Henning Kamp To: Artur Bergman Cc: Nils Goroll Cc: [email protected] Subject: Re: full disclosure reports Sent: Mar 6, 2013 08:23 In message <[email protected]>, Artur Bergman writes: >> They contacted me up front, I told them we don't consider it a security >> problem, because Varnish has to trust the backend being sensible. >> >> We'd be just as hosed if the backend started sending only 1TB objects. > >Thank you for that very pragmatic and mature view of the world. I didn't say I don't consider those issues problems, I do, I just don't consider them security problems. I do realize that Fastly's usage of Varnish is different from pretty much everybody else in the world, but that is a risk Fastly has chosen to take and the consequences are theirs to bear. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 [email protected] | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. Sent via BlackBerry by AT&T _______________________________________________ varnish-dev mailing list [email protected] https://www.varnish-cache.org/lists/mailman/listinfo/varnish-dev
