[master] d916b6c3e builtin: No longer pipe anything by default

Walid Boudebouda walid.boudebouda at gmail.com
Mon Sep 1 13:21:06 UTC 2025 

commit d916b6c3e8b1813c2407c9b6b6a7c27cb1344119
Author: Walid Boudebouda <walid.boudebouda at gmail.com>
Date:   Mon Aug 18 11:41:17 2025 +0200

    builtin: No longer pipe anything by default
    
    It is safer to reject unknown methods than to pipe them
    to the backend by default. Users who need it must explicitly
    allow them in their own VCLs.

diff --git a/bin/varnishd/builtin.vcl b/bin/varnishd/builtin.vcl
index bf7595ebc..d99ebbf05 100644
--- a/bin/varnishd/builtin.vcl
+++ b/bin/varnishd/builtin.vcl
@@ -73,7 +73,8 @@ sub vcl_req_method {
 	    req.method != "DELETE" &&
 	    req.method != "PATCH") {
 		# Non-RFC2616 or CONNECT which is weird.
-		return (pipe);
+		set req.http.Connection = "close";
+		return (synth(501));
 	}
 	if (req.method != "GET" && req.method != "HEAD") {
 		# We only deal with GET and HEAD by default.
diff --git a/bin/varnishtest/tests/r01524.vtc b/bin/varnishtest/tests/r01524.vtc
index a845da303..b32c714a9 100644
--- a/bin/varnishtest/tests/r01524.vtc
+++ b/bin/varnishtest/tests/r01524.vtc
@@ -7,6 +7,9 @@ server s1 {
 } -start
 
 varnish v1 -vcl+backend {
+	sub vcl_recv {
+		return (pipe);
+	}
 } -start
 
 client c1 {
diff --git a/bin/varnishtest/tests/r01890.vtc b/bin/varnishtest/tests/r01890.vtc
index 4ab690526..a544c82a6 100644
--- a/bin/varnishtest/tests/r01890.vtc
+++ b/bin/varnishtest/tests/r01890.vtc
@@ -6,6 +6,10 @@ server s1 {
 } -start
 
 varnish v1 -vcl+backend {
+	sub vcl_recv {
+		return (pipe);
+	}
+
 	sub vcl_pipe {
 		return (synth(401));
 	}
diff --git a/bin/varnishtest/tests/s00013.vtc b/bin/varnishtest/tests/s00013.vtc
index 46c7844ba..d383f45e3 100644
--- a/bin/varnishtest/tests/s00013.vtc
+++ b/bin/varnishtest/tests/s00013.vtc
@@ -26,6 +26,10 @@ server s1 {
 varnish v1 -cliok "param.set pipe_timeout 0s"
 varnish v1 -cliok "param.set pipe_task_deadline 0s"
 varnish v1 -vcl+backend {
+	sub vcl_recv {
+		return (pipe);
+	}
+
 	sub vcl_pipe {
 		set bereq.task_deadline = 1.1s;
 		if (req.method != "TMO") {

More information about the varnish-commit mailing list