[master] 69ad738 By default ignore an <esi:include> with src="https://..."
Poul-Henning Kamp
phk at varnish-cache.org
Mon Sep 16 12:19:28 CEST 2013
commit 69ad7389fe3aee4481aa4f291461bc03e1bc172a
Author: Poul-Henning Kamp <phk at FreeBSD.org>
Date: Mon Sep 16 10:18:22 2013 +0000
By default ignore an <esi:include> with src="https://..."
Feature +esi_ignore_https treats it as http://... instead.
Default is "safe" in order to not expose any data by accident.
Fixes #1333
diff --git a/bin/varnishd/cache/cache_esi_parse.c b/bin/varnishd/cache/cache_esi_parse.c
index 1b043a3..68c96e6 100644
--- a/bin/varnishd/cache/cache_esi_parse.c
+++ b/bin/varnishd/cache/cache_esi_parse.c
@@ -457,7 +457,6 @@ vep_do_include(struct vep_state *vep, enum dowhat what)
vep->include_src = NULL;
return;
}
- XXXAZ(vep->include_src); /* multiple src= */
vep->include_src = vep->attr_vsb;
return;
}
@@ -486,17 +485,34 @@ vep_do_include(struct vep_state *vep, enum dowhat what)
l = VSB_len(vep->include_src);
h = 0;
- VSB_printf(vep->vsb, "%c", VEC_INCL);
if (l > 7 && !memcmp(p, "http://", 7)) {
h = p + 7;
p = strchr(h, '/');
AN(p);
Debug("HOST <%.*s> PATH <%s>\n", (int)(p-h),h, p);
- VSB_printf(vep->vsb, "Host: %.*s%c",
- (int)(p-h), h, 0);
+ VSB_printf(vep->vsb, "%c", VEC_INCL);
+ VSB_printf(vep->vsb, "Host: %.*s%c", (int)(p-h), h, 0);
+ } else if (l > 8 && !memcmp(p, "https://", 8)) {
+ if (!FEATURE(FEATURE_ESI_IGNORE_HTTPS)) {
+ vep_warn(vep,
+ "ESI 1.0 <esi:include> with https:// ignored");
+ vep->state = VEP_TAGERROR;
+ vep->attr_vsb = NULL;
+ vep->include_src = NULL;
+ return;
+ }
+ vep_warn(vep,
+ "ESI 1.0 <esi:include> https:// treated as http://");
+ h = p + 8;
+ p = strchr(h, '/');
+ AN(p);
+ VSB_printf(vep->vsb, "%c", VEC_INCL);
+ VSB_printf(vep->vsb, "Host: %.*s%c", (int)(p-h), h, 0);
} else if (*p == '/') {
+ VSB_printf(vep->vsb, "%c", VEC_INCL);
VSB_printf(vep->vsb, "%c", 0);
} else {
+ VSB_printf(vep->vsb, "%c", VEC_INCL);
VSB_printf(vep->vsb, "%c", 0);
url = vep->bo->bereq->hd[HTTP_HDR_URL];
/* Look for the last / before a '?' */
diff --git a/bin/varnishd/cache/cache_fetch.c b/bin/varnishd/cache/cache_fetch.c
index a49ae95..cb59bad 100644
--- a/bin/varnishd/cache/cache_fetch.c
+++ b/bin/varnishd/cache/cache_fetch.c
@@ -220,7 +220,7 @@ vbf_stp_fetchhdr(struct worker *wrk, struct busyobj *bo)
http_PrintfHeader(bo->beresp, "Content-Length: %jd",
bo->ims_obj->len);
do_ims = 1;
- } else
+ } else
do_ims = 0;
VCL_backend_response_method(bo->vcl, wrk, NULL, bo, bo->beresp->ws);
diff --git a/bin/varnishtest/tests/r01333.vtc b/bin/varnishtest/tests/r01333.vtc
new file mode 100644
index 0000000..7b712e0
--- /dev/null
+++ b/bin/varnishtest/tests/r01333.vtc
@@ -0,0 +1,46 @@
+varnishtest "ESI:include with https"
+
+server s1 {
+ rxreq
+ expect req.url == "/"
+ txresp -body {
+ <html>
+ Before include
+ <!--esi <esi:include src="https://bozz/body"/> -->
+ After include
+ }
+
+ rxreq
+ expect req.url == "/foo"
+ txresp -body {
+ <html>
+ Before include
+ <!--esi <esi:include src="https://bozz/body"/> -->
+ After include
+ }
+ rxreq
+ expect req.url == "/body"
+ expect req.http.host == "bozz"
+ txresp -body BAR
+
+} -start
+
+varnish v1 -vcl+backend {
+ sub vcl_backend_response {
+ set beresp.do_esi = true;
+ }
+} -start
+
+client c1 {
+ txreq
+ rxresp
+ expect resp.bodylen == 49
+} -run
+
+varnish v1 -cliok "param.set feature +esi_ignore_https"
+
+client c1 {
+ txreq -url /foo
+ rxresp
+ expect resp.bodylen == 52
+} -run
diff --git a/include/tbl/feature_bits.h b/include/tbl/feature_bits.h
index 9d99449..e6970ad 100644
--- a/include/tbl/feature_bits.h
+++ b/include/tbl/feature_bits.h
@@ -41,3 +41,7 @@ FEATURE_BIT(NO_COREDUMP, no_coredump, "",
"No coredumps.",
"Don't attempt to coredump child process on panics."
)
+FEATURE_BIT(ESI_IGNORE_HTTPS, esi_ignore_https, "",
+ "Treat HTTPS as HTTP in ESI:includes",
+ "Convert <esi:include src\"https://... to http://..."
+)
More information about the varnish-commit
mailing list