[Varnish] #1862: Request URL with whitespace is allowed
Varnish
varnish-bugs at varnish-cache.org
Mon Feb 29 10:48:34 CET 2016
#1862: Request URL with whitespace is allowed
----------------------+--------------------
Reporter: espebra | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: varnishd | Version: 4.0.3
Severity: normal | Resolution:
Keywords: |
----------------------+--------------------
Comment (by Dridi):
In Espen's test case, the client URL is {{{"/foo bar"}}} and {{{"bar"}}}
leaks in {{{req.proto}}}, so we have a workaround:
{{{
sub vcl_recv {
if (req.proto !~ "^HTTP/1.[01]$") {
return (synth(400, "Bad Request"));
}
}
}}}
I'm personally leaning toward a 400 error because it's simple and it
doesn't acknowledge non-compliant clients (which I believe in most cases
would be malicious).
--
Ticket URL: <https://www.varnish-cache.org/trac/ticket/1862#comment:2>
Varnish <https://varnish-cache.org/>
The Varnish HTTP Accelerator
More information about the varnish-bugs
mailing list