git.ipfire.org Git - thirdparty/squid.git/commit

Do not share private responses with collapsed client(s).

This excessive sharing problem with collapsed forwarding code has
several layers. In most cases, the core CF code does not share
uncachable or private response with collapsed clients because of the
refreshCheckHTTP() check. However, some responses might not be subject
to that (or equivalent) check. More importantly, collapsed revalidation
code does not check its responses at all and, hence, easily shares
private responses.

This short-term fix incorrectly assumes that an entry may become private
(KEY_PRIVATE) only when it cannot be shared among multiple clients
(e.g., because of a Cache-Control:private response header). However,
there are a few other cases when an entry becomes private. One of them
is a DISK_NO_SPACE_LEFT error inside storeSwapOutFileClosed() where
StoreEntry::releaseRequest() sets KEY_PRIVATE for a sharable entry [that
may still be perfectly preserved in the memory cache]. Consequently, the
short-term fix reduces CF effectiveness. The extent of this reduction is
probably environment-dependent.

Also: do not re-use SET_COOKIE headers for collapsed revalidation slaves,
i.e., adhere to the same requirement as for regular response HITs.

author	Eduard Bagdasaryan <eduard.bagdasaryan@measurement-factory.com>
	Fri, 16 Dec 2016 02:02:43 +0000 (15:02 +1300)
committer	Amos Jeffries <squid3@treenet.co.nz>
	Fri, 16 Dec 2016 02:02:43 +0000 (15:02 +1300)
commit	096c9df37a022039c74fdc4b64d5ff06b4c2e548
tree	4df6da46899f72bd77ac9bff5aa9019256d18367	tree \| snapshot
parent	457c00d00a3b65675fe671c80312c99a16ef4059	commit \| diff