You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2016/10/06 18:11:24 UTC
[Bug 60212] New: Cached Location/Content-Location URIs are not
properly invalidated
https://bz.apache.org/bugzilla/show_bug.cgi?id=60212
Bug ID: 60212
Summary: Cached Location/Content-Location URIs are not properly
invalidated
Product: Apache httpd-2
Version: 2.4.23
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_cache
Assignee: bugs@httpd.apache.org
Reporter: champion.p@gmail.com
RFC 7234 requires the following:
A cache MUST invalidate the effective Request URI (Section 5.5 of
[RFC7230]) as well as the URI(s) in the Location and Content-Location
response header fields (if present) when a non-error status code is
received in response to an unsafe request method.
However, a cache MUST NOT invalidate a URI from a Location or
Content-Location response header field if the host part of that URI
differs from the host part in the effective request URI (Section 5.5
of [RFC7230]). This helps prevent denial-of-service attacks.
The code put in place to do the Location/Content-Location invalidation doesn't
appear to work properly, though. It has two problems that I can see:
1) The Location/Content-Location header value is passed directly to
cache_canonicalise_key, but that function expects a URI path, not an absolute
URI (which Location is required to be, and Content-Location *may* be). This
results in a useless cache key (e.g.
"http://example.com:80http://example.com/path/to/resource").
2) The check for identical host parts always seems to fail, since
r->parsed_uri.hostname is always NULL in my testing. This ensures that no
invalidation is ever run. Perhaps we should be using the server hostname
instead (possibly as defined by the CacheKeyBaseURL, or else
ap_get_server_name())?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org