<div dir="ltr"><div>Hi Rudd,</div><div><br></div><div>Sorry for the delay, for some reason your email ended up in my spam folder, I just saw it today.</div><div><br></div><div>Cache poisoning is a vast subject, and in absence of more context the answer to your question is probably going to be "yes, but no but still, intrinsically yes".</div><div><br></div><div>Yes, because you can mess up your configuration with something like:</div><div style="margin-left:40px"><span style="font-family:monospace">sub vcl_hash {</span></div><div style="margin-left:40px"><span style="font-family:monospace"> hash_data("foo");</span></div><div style="margin-left:40px"><span style="font-family:monospace"> return(lookup);<br></span></div><div style="margin-left:40px"><span style="font-family:monospace">}</span></div><div>and boom, all objects are basically going to be cached under the same cache key, which is super bad, don't do that.</div><div><div>The freedom you get through configuration can turn against you. Here's my favorite example to explain it:</div><div><div style="margin-left:40px"><span style="font-family:monospace">sub vcl_hash {</span></div><div style="margin-left:40px"><span style="font-family:monospace"> hash_data(req.url);</span></div><div style="margin-left:40px"><span style="font-family:monospace"> hash_data(req.http.host);<br></span></div><div style="margin-left:40px"><span style="font-family:monospace"> if (req.http.a) {</span></div><div style="margin-left:40px"><span style="font-family:monospace"> </span><span style="font-family:monospace">hash_data(</span><span style="font-family:monospace">req.http.a</span><span style="font-family:monospace">);</span></div><div style="margin-left:40px"><span style="font-family:monospace"> }</span></div><div style="margin-left:40px"> <span style="font-family:monospace">if (req.http.b) {</span><div style="margin-left:40px"><span style="font-family:monospace">hash_data(</span><span style="font-family:monospace">req.http.b</span><span style="font-family:monospace">)</span></div></div><div style="margin-left:40px"><span style="font-family:monospace"> }</span></div><div style="margin-left:40px"><span style="font-family:monospace"> return(lookup);<br></span></div><div style="margin-left:40px"><span style="font-family:monospace">}</span></div></div><div>Which isn't nearly as dumb as the original example, but which will hash these two requests the same way:<br></div><div style="margin-left:40px"><span style="font-family:monospace">curl <a href="http://example.com/foo">example.com/foo</a> -H "a: bar"</span></div><div style="margin-left:40px"><span style="font-family:monospace">curl <a href="http://example.com/foo">example.com/foo</a> -H "b: bar"</span></div><div></div><div>And if somebody knows about how you hash your object and there's a similar flaw in the hashing logic, you can get cache </div></div><div><br></div><div>No, because Varnish is an extremely secure piece of software with an excellent security track record and I don't think it ever got a CVE that poisoned the cache. not to say it can't/won't happen, but sometimes past performance is a good indicator of future results.</div><div><br></div><div>So, even though the software is safe and secure, you can still shoot yourself in the foot if you want to (or are not careful). Thousands of cases of cache poisoning happens yearly because somebody forgot to tell their CDN that the querystring needs to be part of the cache key AND sorted.</div><div><br></div><div>Hopefully this helps, let me know if you have more context to narrow the scope of that very vast topic :-)</div><div><br></div><div>Ah, and while I'm here: please don't use massively antiquated Varnish versions. 4.1 has been EOL a while ago, it's really not recommended to use.</div><div><br></div><div>Cheers,</div><div><br></div><div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>-- <br></div><div>Guillaume Quintard<br></div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Oct 27, 2023 at 12:54 AM <<a href="mailto:ruud.peters@kpn.com">ruud.peters@kpn.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="msg-2976147800638597686">
<div lang="NL" style="overflow-wrap: break-word;">
<div class="m_-2976147800638597686WordSection1">
<p class="MsoNormal">Hi,<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><span lang="EN" style="font-size:10pt;font-family:"Courier New"">Is there anything known that Varnish has problems with cache poisening? And if yes, how can this be avoided in the config?<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN" style="font-size:10pt;font-family:"Courier New"">We are running a old version of Varnish (varnish-4.1.8 revision d266ac5c6)</span><span lang="EN-US" style="font-size:10pt;font-family:"Courier New""><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:black">Met vriendelijke groet / With kind regards,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:black"><u></u> <u></u></span></p>
<table border="0" cellspacing="3" cellpadding="0" style="margin-left:5.4pt">
<tbody>
<tr>
<td width="99" valign="top" style="width:74.05pt;border-width:medium 1pt medium medium;border-style:none solid none none;border-color:currentcolor rgb(91,155,213) currentcolor currentcolor;padding:0cm 6pt 0cm 0cm">
<p class="MsoNormal" align="center" style="text-align:center;line-height:105%">
<span style="font-size:8pt;line-height:105%;color:rgb(31,73,125)"><img width="86" height="67" style="width: 0.9in; height: 0.7in;" id="m_-2976147800638597686Afbeelding_x0020_1" src="cid:18b7d99067f4cff311"></span><span style="color:black"><u></u><u></u></span></p>
</td>
<td width="268" valign="top" style="width:200.85pt;padding:0cm 0.75pt 0cm 4.5pt">
<p class="MsoNormal" style="line-height:105%"><b><span style="font-size:10pt;line-height:105%;color:black;border:1pt windowtext;padding:0cm">Ruud Peters<u></u><u></u></span></b></p>
<p class="MsoNormal" style="line-height:105%"><b><span style="font-size:10pt;line-height:105%;color:black;border:1pt windowtext;padding:0cm">Technisch Beheerder TAM3<u></u><u></u></span></b></p>
<p class="MsoNormal" style="line-height:105%"><span style="font-size:10.5pt;line-height:105%;font-family:"Segoe UI",sans-serif;color:rgb(112,112,112);background:white">Integration SA DevOps 3</span><b><span style="font-size:10pt;line-height:105%;color:black;border:1pt windowtext;padding:0cm"><u></u><u></u></span></b></p>
<p class="MsoNormal" style="line-height:105%"><b><span style="font-size:10pt;line-height:105%;color:black;border:1pt windowtext;padding:0cm"><u></u> <u></u></span></b></p>
<p class="MsoNormal" style="line-height:105%"><span lang="EN-US" style="font-size:10pt;line-height:105%;color:black">Email :
</span><span style="font-size:10pt;line-height:105%;color:black"><a href="mailto:ruud.peters@kpn.com" target="_blank"><span lang="EN-US" style="color:black">ruud.peters@kpn.com</span></a></span><span lang="EN-US" style="font-size:10pt;line-height:105%;color:black"><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10pt;color:black">Phone : +31630736741<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10pt">Stationsplein 18 6221 BT, Maastricht<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10pt;color:black"><br>
(On Mondays and Thursdays I’m in the office until about 14:00)<u></u><u></u></span></p>
<p class="MsoNormal" style="line-height:105%"><span lang="EN-US" style="font-size:10pt;line-height:105%;color:black"><u></u> <u></u></span></p>
<p class="MsoNormal" style="line-height:105%"><span style="font-size:10pt;line-height:105%">Handelsregister KvK Den Haag<span style="color:black"><u></u><u></u></span></span></p>
<p class="MsoNormal" style="line-height:105%"><span style="font-size:10pt;line-height:105%">Nr. 27124701</span><span style="font-size:7.5pt;line-height:105%;font-family:"Arial",sans-serif;color:black"><u></u><u></u></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal" style="line-height:115%"><span style="font-size:8.5pt;line-height:115%;font-family:"Arial",sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal" style="line-height:115%"><span>
</span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_kpn&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=SHw-AgeWmMkMA0HlnhzHhxKjC0-3ZvNfsNAC7uRfT_M&m=PPlxN7TMhT2xr2QgTxCcLKJXrujT3E_BtoULxbTfOuU&s=__LlIYz1us6athyMaicWUENl0eXliwsKc6ZOuLjthxA&e=" target="_blank"><span style="font-size:10.5pt;line-height:115%;font-family:"Arial",sans-serif;color:rgb(0,170,255);text-decoration:none"><img border="0" width="35" height="24" style="width: 0.3666in; height: 0.25in;" id="m_-2976147800638597686Afbeelding_x0020_2" src="cid:18b7d9906815b006a2" alt="twitter"></span></a><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_kpn&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=SHw-AgeWmMkMA0HlnhzHhxKjC0-3ZvNfsNAC7uRfT_M&m=PPlxN7TMhT2xr2QgTxCcLKJXrujT3E_BtoULxbTfOuU&s=Zxz20RO2KypBQqvxBL2tDdL29IvpFS3LvGxQrytAtdY&e=" target="_blank"><span style="font-size:10.5pt;line-height:115%;font-family:"Arial",sans-serif;color:rgb(0,170,255);text-decoration:none"><img border="0" width="35" height="24" style="width: 0.3666in; height: 0.25in;" id="m_-2976147800638597686Afbeelding_x0020_3" src="cid:18b7d9906826917eb3" alt="facebook"></span></a><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_company_kpn&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=SHw-AgeWmMkMA0HlnhzHhxKjC0-3ZvNfsNAC7uRfT_M&m=PPlxN7TMhT2xr2QgTxCcLKJXrujT3E_BtoULxbTfOuU&s=CJB3bkdHr0lzGaD_Jwd6PDj5r4RpEXY-YqKEP9Z0DVg&e=" target="_blank"><span style="font-size:10.5pt;line-height:115%;font-family:"Arial",sans-serif;color:rgb(0,170,255);text-decoration:none"><img border="0" width="35" height="24" style="width: 0.3666in; height: 0.25in;" id="m_-2976147800638597686Afbeelding_x0020_4" src="cid:18b7d990683772f6c4" alt="linkedin"></span></a><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__www.youtube.com_user_KPN&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=SHw-AgeWmMkMA0HlnhzHhxKjC0-3ZvNfsNAC7uRfT_M&m=PPlxN7TMhT2xr2QgTxCcLKJXrujT3E_BtoULxbTfOuU&s=qsRYQVgKH5enM9ot1yuxgeDHFD_rMJZQ1D8WtoKznkA&e=" target="_blank"><span style="font-size:10.5pt;line-height:115%;font-family:"Arial",sans-serif;color:rgb(0,170,255);text-decoration:none"><img border="0" width="24" height="24" style="width: 0.25in; height: 0.25in;" id="m_-2976147800638597686Afbeelding_x0020_5" src="cid:18b7d9906838546ed5" alt="youtube"></span></a><span style="font-size:8.5pt;line-height:115%;font-family:"Arial",sans-serif"><u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
_______________________________________________<br>
varnish-misc mailing list<br>
<a href="mailto:varnish-misc@varnish-cache.org" target="_blank">varnish-misc@varnish-cache.org</a><br>
<a href="https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc" rel="noreferrer" target="_blank">https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc</a><br>
</div></blockquote></div>