full disclosure reports
Artur Bergman
sky at crucially.net
Wed Mar 6 16:45:29 CET 2013
On Mar 6, 2013, at 7:38 AM, "Poul-Henning Kamp" <phk at phk.freebsd.dk> wrote:
> In message <513755AD.2010808 at schokola.de>, Nils Goroll writes:
>
>> IIUC to exploit any of these one would need access to a backend or at least some
>> way to make a backend produce certain response headers.
>
> They contacted me up front, I told them we don't consider it a security
> problem, because Varnish has to trust the backend being sensible.
>
> We'd be just as hosed if the backend started sending only 1TB objects.
>
> --
Thank you for that very pragmatic and mature view of the world.
Cheers
Artur
For the sarcasm deficient people out there, this email contains 1000% sarcasm.
More information about the varnish-dev
mailing list