RFC 7234 says:
A cache MUST NOT store a response to any request, unless:
[...] the Authorization header field (see Section 4.2 of [RFC7235]) does
not appear in the request, if the cache is shared, unless the
response explicitly allows it (see Section 3.2), [...]
In this patch we completely disable the cache upon the receipt of an
Authorization header in the request. In this case it's not possible to
either use the cache or store into the cache anymore.
Thanks to Adam Eijdenberg of Digital Transformation Agency for raising
this issue.
This patch must be backported to 1.8.
- If the request is not a GET
- If the HTTP version of the request is smaller than 1.1
+- If the request contains an Authorization header
Caution!: Due to the current limitation of the filters, it is not recommended
to use the cache with other filters. Using them can cause undefined behavior
}
}
+ /* Don't use the cache and don't try to store if we found the
+ * Authorization header */
+ val = http_header_match2(cur_ptr, cur_end, "Authorization", 13);
+ if (val) {
+ txn->flags &= ~TX_CACHEABLE & ~TX_CACHE_COOK;
+ txn->flags |= TX_CACHE_IGNORE;
+ continue;
+ }
+
val = http_header_match2(cur_ptr, cur_end, "Cache-control", 13);
if (!val)
continue;
projects / thirdparty / haproxy.git / commitdiff
