Context Navigation

← Previous Ticket
Next Ticket →

#37101 closed Bug (fixed)

Vary header cache key collision from missing delimiter

Reported by:	Jake Howard	Owned by:	Jacob Walls
Component:	Core (Cache system)	Version:	6.0
Severity:	Normal	Keywords:
Cc:		Triage Stage:	Ready for checkin
Has patch:	yes	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	no
Easy pickings:	no	UI/UX:	no

Description

When a cached view varies on multiple headers, the values of those headers are concatenated together in the cache key. There is no delimiter, meaning the cache keys could overlap:

   X-Region: US
   X-Tenant: victim-corp

   X-Region: U
   X-Tenant: Svictim-corp

The above 2 examples would result in the same cache key, despite being different values. Changes to the cache key should be made to ensure values in this way don't collide.

This was previously reported to the Security Team by GeonHa. However, because it requires in depth knowledge of the system, a lack of user validation and similar values, it is not considered a vulnerability.

Change History (13)

comment:1 by Sarah Boyce, 6 weeks ago

Triage Stage:	Unreviewed → Accepted

comment:2 by gonas, 6 weeks ago

Owner:	set to gonas
Status:	new → assigned

comment:3 by Jason Judkins, 2 weeks ago

@Gonas Hey, are you still working on this? Happy to collaborate or take it over if you've moved on.

comment:4 by Jacob Walls, 2 weeks ago

We're hoping to land a fix for this before the 6.1 beta (June 24), so if we don't have a PR by early next week, I'll need to pick it up myself. Happy for you to make a start, Jason.

comment:5 by Jacob Walls, 7 days ago

Owner:	changed from gonas to Jacob Walls

comment:6 by Jacob Walls, 7 days ago

Has patch:	set

comment:7 by Natalia Bidart, 39 hours ago

Patch needs improvement:	set

comment:8 by Jacob Walls, 37 hours ago

Patch needs improvement:	unset

comment:9 by Natalia Bidart, 35 hours ago

Triage Stage:	Accepted → Ready for checkin

comment:10 by Jacob Walls <jacobtylerwalls@…>, 18 hours ago

Resolution:	→ fixed
Status:	assigned → closed

In 65acb3cc:

Fixed #37101 -- Used netstring delimiter between vary on headers for cached pages.

This prevents collisions between header values that concatenate to the same thing.

comment:11 by Jacob Walls <jacobtylerwalls@…>, 18 hours ago

In 02f94d2:

Refs #37101, #37174 -- Added release note for cache misses when varying on arguments.

Thanks Natalia Bidart for the review.

comment:12 by Jacob Walls <jacobtylerwalls@…>, 18 hours ago

In 8ae64fc:

[6.1.x] Fixed #37101 -- Used netstring delimiter between vary on headers for cached pages.

This prevents collisions between header values that concatenate to the same thing.

Backport of 65acb3cc2e76c238f5aee38d22626d92171a2f7c from main.

comment:13 by Jacob Walls <jacobtylerwalls@…>, 18 hours ago

In e4cda2e:

[6.1.x] Refs #37101, #37174 -- Added release note for cache misses when varying on arguments.

Thanks Natalia Bidart for the review.

Backport of 02f94d2a899b6573f90dee5417afb8a763ee7f25 from main.

Note: See TracTickets for help on using tickets.

Download in other formats:

Issues