Detecting and fixing VSV00004 in older releases
Dridi Boukelmoune
dridi at varni.sh
Wed May 13 09:03:30 UTC 2020
> I tried to reproduce it myself today and I wasn't able to trigger the
> leak on the master branch's commit prior to the fix. I asked
> internally whether we have a reliable reproducer or if it's something
> that needs a consequential workload to be observable.
The step I was missing trying to reproduce this on my own was ensuring
that the error reason is far enough in the client workspace to be
leakable.
It turns out we had a test case covering all 3 scenarios that was
supposed to be pushed a while after the disclosure, but was forgotten.
You can use this test case now before and after applying the patch:
https://github.com/varnishcache/varnish-cache/commit/0c9c38513bdb7730ac886eba7563f2d87894d734
Dridi
More information about the varnish-misc
mailing list