You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2016/10/06 18:11:24 UTC

[Bug 60212] New: Cached Location/Content-Location URIs are not properly invalidated

https://bz.apache.org/bugzilla/show_bug.cgi?id=60212

            Bug ID: 60212
           Summary: Cached Location/Content-Location URIs are not properly
                    invalidated
           Product: Apache httpd-2
           Version: 2.4.23
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_cache
          Assignee: bugs@httpd.apache.org
          Reporter: champion.p@gmail.com

RFC 7234 requires the following:

   A cache MUST invalidate the effective Request URI (Section 5.5 of
   [RFC7230]) as well as the URI(s) in the Location and Content-Location
   response header fields (if present) when a non-error status code is
   received in response to an unsafe request method.

   However, a cache MUST NOT invalidate a URI from a Location or
   Content-Location response header field if the host part of that URI
   differs from the host part in the effective request URI (Section 5.5
   of [RFC7230]).  This helps prevent denial-of-service attacks.

The code put in place to do the Location/Content-Location invalidation doesn't
appear to work properly, though. It has two problems that I can see:

1) The Location/Content-Location header value is passed directly to
cache_canonicalise_key, but that function expects a URI path, not an absolute
URI (which Location is required to be, and Content-Location *may* be). This
results in a useless cache key (e.g.
"http://example.com:80http://example.com/path/to/resource").

2) The check for identical host parts always seems to fail, since
r->parsed_uri.hostname is always NULL in my testing. This ensures that no
invalidation is ever run. Perhaps we should be using the server hostname
instead (possibly as defined by the CacheKeyBaseURL, or else
ap_get_server_name())?

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org