Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cache key normalization does not properly distinguish requests #6

Closed
JustinAzoff opened this issue Feb 1, 2018 · 1 comment
Closed

Cache key normalization does not properly distinguish requests #6

JustinAzoff opened this issue Feb 1, 2018 · 1 comment
Labels
bug

Comments

@JustinAzoff
Copy link

Is this a BUG report or FEATURE request?:

Bug

What happened:

The default cache key normalizes different requests to the same cache key

What you expected to happen:

Different requests would use different cache keys

How to reproduce it (as minimally and precisely as possible):

global
    maxconn 100
    cache on

defaults
    mode http
    timeout connect 5s
    timeout client 5s
    timeout server 5s

frontend myfrontend
    bind :8888
    default_backend mybackend

backend mybackend
    # a http backend
    http-request set-header Host httpbin.org
    server s httpbin.org:80
    filter cache
    cache-rule all ttl 3600

Then make two requests that differ only in the position of the '?':

$ curl localhost:8888/get?name=hello
{
  "args": {
    "name": "hello"
  },
  "headers": {
    "Accept": "*/*",
    "Connection": "close",
    "Host": "httpbin.org",
    "User-Agent": "curl/7.54.0"
  },
  "origin": "x",
  "url": "http://httpbin.org/get?name=hello"
}

$ curl localhost:8888/?getname=hello
{
  "args": {
    "name": "hello"
  },
  "headers": {
    "Accept": "*/*",
    "Connection": "close",
    "Host": "httpbin.org",
    "User-Agent": "curl/7.54.0"
  },
  "origin": "x",
  "url": "http://httpbin.org/get?name=hello"
}

Anything else we need to know?:

This is similar to what caused this issue: https://rdist.root.org/2009/05/20/amazon-web-services-signature-vulnerability/
@JustinAzoff JustinAzoff changed the title Cache key normalization does not properly distringuish requests Cache key normalization does not properly distinguish requests Feb 1, 2018
@jiangwenyuan
Copy link
Owner

@JustinAzoff Thanks a lot for pointing out :)

jiangwenyuan pushed a commit that referenced this issue May 7, 2018
@wtarreau
MEDIUM: h2: silently ignore frames higher than last_id after GOAWAY
c0da196 
For a graceful shutdown, the specs requries to discard frames with a
stream ID higher than the advertised last_id. (RFC7540#6.8). Well,
finally for now the code is disabled (see last page of #6.8). Some
frames need to be processed anyway to maintain the compression state
and the flow control window state, but we don't have any trivial way
to do this and ignore them at the same time. For the headers it's
the worst case where we can't parse headers frames without coming
from the streams, and we don't want to create such streams as we'd
have to abort them, and aborting would cause errors to flow back.

Possibly that a longterm solution might involve using some dummy
streams and dummy buffers for this and calling the parsers directly.
@slw slw mentioned this issue Jul 9, 2020
Closed
@slw slw mentioned this issue Jul 21, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@JustinAzoff @jiangwenyuan