full disclosure reports

Artur Bergman sky at crucially.net
Wed Mar 6 16:45:29 CET 2013


On Mar 6, 2013, at 7:38 AM, "Poul-Henning Kamp" <phk at phk.freebsd.dk> wrote:

> In message <513755AD.2010808 at schokola.de>, Nils Goroll writes:
> 
>> IIUC to exploit any of these one would need access to a backend or at least some 
>> way to make a backend produce certain response headers.
> 
> They contacted me up front, I told them we don't consider it a security
> problem, because Varnish has to trust the backend being sensible.
> 
> We'd be just as hosed if the backend started sending only 1TB objects.
> 
> -- 

Thank you for that very pragmatic and mature view of the world.

Cheers
Artur

For the sarcasm deficient people out there, this email contains 1000% sarcasm.






More information about the varnish-dev mailing list