From: William Lallemand Date: Tue, 22 May 2018 09:04:33 +0000 (+0200) Subject: BUG/MEDIUM: cache: don't cache when an Authorization header is present X-Git-Tag: v1.9-dev1~250 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8a16fe0d053b93c00a8bcf86159135f98ca1377e;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: cache: don't cache when an Authorization header is present RFC 7234 says: A cache MUST NOT store a response to any request, unless: [...] the Authorization header field (see Section 4.2 of [RFC7235]) does not appear in the request, if the cache is shared, unless the response explicitly allows it (see Section 3.2), [...] In this patch we completely disable the cache upon the receipt of an Authorization header in the request. In this case it's not possible to either use the cache or store into the cache anymore. Thanks to Adam Eijdenberg of Digital Transformation Agency for raising this issue. This patch must be backported to 1.8. --- diff --git a/doc/configuration.txt b/doc/configuration.txt index cbea3309da..223184b2c5 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -17265,6 +17265,7 @@ The cache won't store and won't deliver objects in these cases: - If the request is not a GET - If the HTTP version of the request is smaller than 1.1 +- If the request contains an Authorization header Caution!: Due to the current limitation of the filters, it is not recommended to use the cache with other filters. Using them can cause undefined behavior diff --git a/src/proto_http.c b/src/proto_http.c index 3adb54f23f..efa6d6a369 100644 --- a/src/proto_http.c +++ b/src/proto_http.c @@ -7737,6 +7737,15 @@ void check_request_for_cacheability(struct stream *s, struct channel *chn) } } + /* Don't use the cache and don't try to store if we found the + * Authorization header */ + val = http_header_match2(cur_ptr, cur_end, "Authorization", 13); + if (val) { + txn->flags &= ~TX_CACHEABLE & ~TX_CACHE_COOK; + txn->flags |= TX_CACHE_IGNORE; + continue; + } + val = http_header_match2(cur_ptr, cur_end, "Cache-control", 13); if (!val) continue;