DO NOT REPLY [Bug 16135] New: - Cache-control: private=list ignored

[bu...@apache.org]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=16135>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=16135

Cache-control: private=list ignored

           Summary: Cache-control: private=list ignored
           Product: Apache httpd-2.0
           Version: HEAD
          Platform: All
               URL: http://coad.measurement-factory.com/cgi-
                    bin/coad/GraseInfoCgi?info_id=test_clause/rfc2616/ccResp
                    DirHdr-private
        OS/Version: All
            Status: NEW
          Severity: Major
          Priority: Other
         Component: mod_cache
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: coad@measurement-factory.com


Looks like a possible RFC 2616 MUST violation. 
Apache ignores "Cache-Control: private=list" 
directive. The "Cache-Control: private" test
is successful though. The initial severity is
set above "normal" because this bug might expose private
[user] information to third parties.

If handling lists in Cache-Control headers is a difficult change,
the code should be adjusted to ignore those lists as opposed to
ignoring complete Cache-Control headers. In other words, it would
be much better if Apache at least treats "private=list" as "private".

See attached trace(s) for details and ways to reproduce
the violation mentioned above.

Test case IDs in the trace link to human-oriented test case
description and RFC quotes, if available.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org