Varnish 5.2.0 child panic
Hugues Alary
hugues at betabrand.com
Wed Nov 29 18:04:46 UTC 2017
Hi Dridi,
I actually did think about this originally, but decided to only obfuscate
one cookie ("frontend", which I replaced with deadbeefdeadbeefdeadbeefaa in
both panics).
Now, thinking back about it (thanks to your email), even though it would be
hard to infer anything of value from any of the other cookies, I probably
should have obfuscated them too.
As for the IP address, this was definitely an omission on my part.
I appreciate the reminder.
Cheers,
-Hugues
On Wed, Nov 29, 2017 at 12:56 AM, Dridi Boukelmoune <dridi at varni.sh> wrote:
> On Wed, Nov 29, 2017 at 12:35 AM, Hugues Alary <hugues at betabrand.com>
> wrote:
> > Just realized this might be better as a bug report, I'll submit one if
> > needed.
> >
> > Also, I just had another panic:
>
> Hi,
>
> You should sanitize the panic output to not disclose user cookies
> publicly! Replace the value with junk next time.
>
> > Panic at: Tue, 28 Nov 2017 22:18:49 GMT
> > Assert error in HSH_Lookup(), cache/cache_hash.c line 432:
> > Condition((vary) != 0) not true.
> > version = varnish-5.2.0 revision 4c4875cbf, vrt api = 6.1
> > ident = Linux,4.4.64+,x86_64,-junix,-smalloc,-smalloc,-hcritbit,epoll
> > now = 1786235.707578 (mono), 1511907529.436702 (real)
> > Backtrace:
> > 0x556f4d169e36: varnishd(+0x4ae36) [0x556f4d169e36]
> > 0x556f4d1b4b80: varnishd(VAS_Fail+0x40) [0x556f4d1b4b80]
> > 0x556f4d15f1b2: varnishd(HSH_Lookup+0xcb2) [0x556f4d15f1b2]
> > 0x556f4d16e14f: varnishd(CNT_Request+0xedf) [0x556f4d16e14f]
> > 0x556f4d18dda2: varnishd(+0x6eda2) [0x556f4d18dda2]
> > 0x556f4d18525c: varnishd(+0x6625c) [0x556f4d18525c]
> > 0x556f4d185780: varnishd(+0x66780) [0x556f4d185780]
> > 0x7f13aa27c494: /lib/x86_64-linux-gnu/libpthread.so.0(+0x7494)
> > [0x7f13aa27c494]
> > 0x7f13a9fbeaff: /lib/x86_64-linux-gnu/libc.so.6(clone+0x3f)
> > [0x7f13a9fbeaff]
> > thread = (cache-worker)
> > thr.req = 0x7f1245e0a020 {
> > vxid = 2869347, transport = HTTP/1 {
> > state = HTTP1::Proc
> > }
> > step = R_STP_LOOKUP,
> > req_body = R_BODY_NONE,
> > restarts = 0, esi_level = 0,
> > sp = 0x7f137a00ea20 {
> > fd = 65, vxid = 2869346,
> > t_open = 1511907453.132658,
> > t_idle = 1511907453.132658,
> > transport = HTTP/1 {
> > state = HTTP1::Proc
> > }
> > client = 10.44.43.4 45520,
> > privs = 0x7f137a00ea88 {
> > },
> > },
> > worker = 0x7f1388213dd0 {
> > stack = {0x7f1388214000 -> 0x7f1388181000},
> > ws = 0x7f1388213e78 {
> > id = \"wrk\",
> > {s, f, r, e} = {0x7f1388213190, +0, (nil), +2040},
> > },
> > VCL::method = DELIVER,
> > VCL::return = deliver,
> > VCL::methods = {},
> > },
> > ws = 0x7f1245e0a208 {
> > id = \"req\",
> > {s, f, r, e} = {0x7f1245e0c008, +4144, +516080, +516080},
> > },
> > http_conn = 0x7f1245e0a130 {
> > fd = 65 (@0x7f137a00ea38),
> > doclose = NULL,
> > ws = 0x7f1245e0a208 {
> > [Already dumped, see above]
> > },
> > {rxbuf_b, rxbuf_e} = {0x7f1245e0c008, 0x7f1245e0cf01},
> > {pipeline_b, pipeline_e} = {(nil), (nil)},
> > content_length = -1,
> > body_status = none,
> > first_byte_timeout = 0.000000,
> > between_bytes_timeout = 0.000000,
> > },
> > http[req] = 0x7f1245e0a2a0 {
> > ws = 0x7f1245e0a208 {
> > [Already dumped, see above]
> > },
> > hdrs {
> > \"GET\",
> > \"/api/rest/reviews/product/6430\",
> > \"HTTP/1.1\",
> > \"Host: www.betabrand.com\",
> > \"Accept-Encoding: gzip\",
> > \"CF-IPCountry: US\",
> > \"CF-RAY: 3c50b2adfddd5a56-BOS\",
> > \"CF-Visitor: {\"scheme\":\"https\"}\",
> > \"user-agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_1_2 like Mac
> OS X)
> > AppleWebKit/604.3.5 (KHTML, like Gecko) Mobile/15B202
> > [FBAN/FBIOS;FBAV/150.0.0.32.132;FBBV/80278251;FBDV/
> iPhone9,1;FBMD/iPhone;FBSN/iOS;FBSV/11.1.2;FBSS/2;FBCR/
> Verizon;FBID/phone;FBLC/en_US;FBOP/5;FBRV/0]\",
> > \"accept-language: en-us\",
> > \"referer:
> > https://www.betabrand.com/womens/pants/dress-pant-yoga-
> pants-collection/womens-black-boot-flare-dress-pant-yoga-pants\",
>
> For example:
>
> > \"cookie: XXXXXXXX=XXXXXXXXXXXXXXXXXXXXXXXXXXXX;
> > XXXXXX=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX;
> > XXXXXX=XXXXXXXXXXXXXXXXXXXXXXXXXX; XXXXXX=XXXXXXXXX;
> > XXXXXX=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=XXXXXXXXXXXXXXX=
> XXXXXXXXXXXXXXXXXXXXXXXXXXXX=XXXXXXXXXXXXXXXXXX=XXXXXXX;
> > XXX=XXXXXXXXXXXXXXXXXXXXXXXXXXX; XXXXXXXXXXXXXXXXXX=X;
> > XXXX=XXXXXXXXXXXXXXXXXXXXXXXXXX;
> > XXXXXXXXXXX=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX;
> > XXXXXXXXXXXX=X;
> > XXXXXXXXXXXXXXXXX=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX;
> > XXXXXXXXXXXXXXXX=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX;
> > XXXXXXXXXXXXXXXXX=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX;
> > XXXXXXXXXXXXXXXXXXXXXXXX=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX;
> > XXXXXXXX=XXXXXXXXXXXXXX; XXXXXXX=XXXXXXXXXXXX; XXXXX=X;
> > XXXXXX=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX;
> > XXXXXXXX=XXXXXXXXXXXXXXXXXXXXXXXXXX;
> > XXXX=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX;
> > XXXXXXXXXXXXXXXXXXXXXXX=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> > XXX XX XXXX XXXXXXXX XXXXXXXX XXXXX;
> > XXXXXXXXXXXXXXXXXXXXXXXXXX=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> > XXX XX XXXX XXXXXXXX XXXXXXXX XXXXX;
> > XXXXXXXXXXXXXXXXXXX=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX;
> > XXXXXXXXXXXXXXXXXX=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX;
> > XXXXXXXXXXXXXXXX=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX;
> > XXXXXXXXXXXXXXX=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX;
> > XXXXX=XXXXXXXXXXXXXXXXXXXXXXXXXXX;
> > XXXXXXXXXXXXXX=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX;
> XXXXXXXXXXXXXXXXXXXX=X;
> > XXXXXXXXXXXXXXXX=X; XXXXXXXXXX=X;
> > XXXXXXXXXXXXXXXXXXXXXXXX=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> > XXX XX XXXX XXXXXXXX XXXXXXXX XXXXX; XXXXXXXXXXXXXXXXXXXXXX=XXXX;
> > XXXXXXXX=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX; XXXXXXXXXXX=X;
> > XXXXXXXXXXX=X; XXXXXXXXXXXXXXXXX=XXXXXXXXXXXXX;
> > XXXXXXXXXXXX=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX;
> > XXXXXXX=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\",
>
> And anything sensitive in general like IP addresses...
>
> > \"CF-Connecting-IP: 208.64.112.35\",
> > \"X-Forwarded-Proto: https\",
> > \"Connection: close\",
> > \"X-Request-Start: t=1511907453131\",
> > \"X-Queue-Start: t=1511907453131\",
> > \"X-Unique-ID: 0A800027:8911_0A2C2B04:01BB_
> 5A1DE07D_30A0ADB:0009\",
> > \"X-Forwarded-For: 208.64.112.35, 10.128.0.39, 10.44.43.4,
> > 10.44.43.4\",
> > \"X-PSA-Blocking-Rewrite: betabrand-pagespeed\",
> > \"Accept: application/json\",
> > },
> > },
> > vcl = {
> > name = \"boot\",
> > busy = 135,
> > discard = 0,
> > state = auto,
> > temp = warm,
> > conf = {
> > srcname = {
> > \"/etc/varnish/default.vcl\",
> > \"Builtin\",
> > },
> > },
> > },
> > vmods = {
> > std = {Varnish 5.2.0 4c4875cbf, 0.0},
> > directors = {Varnish 5.2.0 4c4875cbf, 0.0},
> > },
> > flags = {
> > },
> > },
> > thr.busyobj = (nil) {
> > },
>
> Dridi
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20171129/508c3805/attachment-0001.html>
More information about the varnish-misc
mailing list