base64 blob.decode() default error handling

Geoff Simmons geoff at uplex.de
Mon Nov 4 12:51:25 UTC 2019 

On 11/4/19 03:32, pyunyh wrote:
> Hi,
> 
> In order to validate client supplied base64 encoded string I have a
> VCL something like the following.
> 
>         if (blob.length(blob.decode(BASE64, 0, req.http.Sec-WebSocket-Key)) != 16) {
>                 return (synth(400, "Bad Request"));
>         }
> 
> If the Sec-WebSocket-Key header has a badly encoded string VCL will
> generate a "503 VCL failed" response. It's somewhat hard to generate
> a 400 repsonse in this case, since very little thing can be done in
> vcl_synth().  As you know resp.status can be overriden as well as
> resp.reason in vcl_synth() but all state tracking made so far is
> completely lost in vcl_synth() so there is no way to know where the
> vcl_synth() is called from which context.
> What is proper way to handle this case?
> If there is a way to override arguments passed to synth() with
> return(fail) during base64 decoding this will address the issue.
> I think this can be easily solved with inline C but it it would be
> better to have a VCL method as vcc_allow_inline_c is disabled by
> default.

@pyunyh, I'm moving this to varnish-misc, which is the more appropriate
list for a user question like this.

This is a general issue with VCL failure -- in vcl_synth, you can tell
from resp.reason=="VCL failed" that it was VCL failure that you got you
there, but there is little to no information about what caused the
failure, so it can be difficult to impossible to implement specific
error handling.

I can see why you need this for the vmod blob use case. But I would
suggest that the Varnish dev team consider a general solution for
identifying the cause of a VCL failure, rather than special-casing a
solution for the vmod.

@pyunyh, as a workaround you might go to the old trick of using a
request header as a variable:

# assuming that req.http.X-Sec-WebSocket-Key-Validated is not set
# at this point, or not set to "true"
if (blob.length(blob.decode(BASE64, 0, req.http.Sec-WebSocket-Key)) != 16) {
        return (synth(400, "Bad Request"));
}
set req.http.X-Sec-WebSocket-Key-Validated = "true";

# now in vcl_synth:
if (resp.reason == "VCL failed"
    && req.http.X-Sec-WebSocket-Key-Validated != "true") {
	set resp.status = 400;
	set resp.reason = "Bad Request";
}


HTH,
Geoff
-- 
** * * UPLEX - Nils Goroll Systemoptimierung

Scheffelstraße 32
22301 Hamburg

Tel +49 40 2880 5731
Mob +49 176 636 90917
Fax +49 40 42949753

http://uplex.de

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20191104/f8bc2960/attachment.bin>

More information about the varnish-misc mailing list