[Varnish] #939: Error 400 if a single header exceeds 2048 characters

Varnish varnish-bugs at varnish-cache.org
Sat Jun 18 11:47:57 CEST 2011

#939: Error 400 if a single header exceeds 2048 characters
 Reporter:  david  |        Type:  defect
   Status:  new    |    Priority:  normal
Milestone:         |   Component:  build 
  Version:  trunk  |    Severity:  normal
 Keywords:         |  

Comment(by phk):

 Take the X-Forwarded-For header as example:  You append to that when ever
 you go through a proxy.

 Imagine you have a load-balancer sitting in front of your varnish which
 does that, and that you need the X-F-F header for something important.

 If Varnish just drops headers that are too long, you have now made it
 possible for an adversary to send a X-F-F: header which is 2046 chars
 long, your balancer adds the IP to it and your varnish throws it away.

 That sort of scenario makes my security-alarm tingle faintly.

 Your points about documentation and diagnostics are taken, so the ticket
 stays open as a reminder for now.

Ticket URL: <http://www.varnish-cache.org/trac/ticket/939#comment:4>
Varnish <http://varnish-cache.org/>
The Varnish HTTP Accelerator

More information about the varnish-bugs mailing list