<div dir="ltr">Hi Dridi, <div><br></div><div>I actually did think about this originally, but decided to only obfuscate one cookie ("frontend", which I replaced with deadbeefdeadbeefdeadbeefaa in both panics).</div><div><br></div><div>Now, thinking back about it (thanks to your email), even though it would be hard to infer anything of value from any of the other cookies, I probably should have obfuscated them too. </div><div><br></div><div>As for the IP address, this was definitely an omission on my part.</div><div><br></div><div>I appreciate the reminder.</div><div><br></div><div>Cheers,</div><div>-Hugues<br><div><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Nov 29, 2017 at 12:56 AM, Dridi Boukelmoune <span dir="ltr"><<a href="mailto:dridi@varni.sh" target="_blank">dridi@varni.sh</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Wed, Nov 29, 2017 at 12:35 AM, Hugues Alary <<a href="mailto:hugues@betabrand.com">hugues@betabrand.com</a>> wrote:<br>
> Just realized this might be better as a bug report, I'll submit one if<br>
> needed.<br>
><br>
> Also, I just had another panic:<br>
<br>
</span>Hi,<br>
<br>
You should sanitize the panic output to not disclose user cookies<br>
publicly! Replace the value with junk next time.<br>
<div><div class="h5"><br>
> Panic at: Tue, 28 Nov 2017 22:18:49 GMT<br>
> Assert error in HSH_Lookup(), cache/cache_hash.c line 432:<br>
>   Condition((vary) != 0) not true.<br>
> version = varnish-5.2.0 revision 4c4875cbf, vrt api = 6.1<br>
> ident = Linux,4.4.64+,x86_64,-junix,-<wbr>smalloc,-smalloc,-hcritbit,<wbr>epoll<br>
> now = 1786235.707578 (mono), 1511907529.436702 (real)<br>
> Backtrace:<br>
>   0x556f4d169e36: varnishd(+0x4ae36) [0x556f4d169e36]<br>
>   0x556f4d1b4b80: varnishd(VAS_Fail+0x40) [0x556f4d1b4b80]<br>
>   0x556f4d15f1b2: varnishd(HSH_Lookup+0xcb2) [0x556f4d15f1b2]<br>
>   0x556f4d16e14f: varnishd(CNT_Request+0xedf) [0x556f4d16e14f]<br>
>   0x556f4d18dda2: varnishd(+0x6eda2) [0x556f4d18dda2]<br>
>   0x556f4d18525c: varnishd(+0x6625c) [0x556f4d18525c]<br>
>   0x556f4d185780: varnishd(+0x66780) [0x556f4d185780]<br>
>   0x7f13aa27c494: /lib/x86_64-linux-gnu/<wbr>libpthread.so.0(+0x7494)<br>
> [0x7f13aa27c494]<br>
>   0x7f13a9fbeaff: /lib/x86_64-linux-gnu/libc.so.<wbr>6(clone+0x3f)<br>
> [0x7f13a9fbeaff]<br>
> thread = (cache-worker)<br>
> thr.req = 0x7f1245e0a020 {<br>
>   vxid = 2869347, transport = HTTP/1 {<br>
>     state = HTTP1::Proc<br>
>   }<br>
>   step = R_STP_LOOKUP,<br>
>   req_body = R_BODY_NONE,<br>
>   restarts = 0, esi_level = 0,<br>
>   sp = 0x7f137a00ea20 {<br>
>     fd = 65, vxid = 2869346,<br>
>     t_open = 1511907453.132658,<br>
>     t_idle = 1511907453.132658,<br>
>     transport = HTTP/1 {<br>
>       state = HTTP1::Proc<br>
>     }<br>
>     client = 10.44.43.4 45520,<br>
>     privs = 0x7f137a00ea88 {<br>
>     },<br>
>   },<br>
>   worker = 0x7f1388213dd0 {<br>
>     stack = {0x7f1388214000 -> 0x7f1388181000},<br>
>     ws = 0x7f1388213e78 {<br>
>       id = \"wrk\",<br>
>       {s, f, r, e} = {0x7f1388213190, +0, (nil), +2040},<br>
>     },<br>
>     VCL::method = DELIVER,<br>
>     VCL::return = deliver,<br>
>     VCL::methods = {},<br>
>   },<br>
>   ws = 0x7f1245e0a208 {<br>
>     id = \"req\",<br>
>     {s, f, r, e} = {0x7f1245e0c008, +4144, +516080, +516080},<br>
>   },<br>
>   http_conn = 0x7f1245e0a130 {<br>
>     fd = 65 (@0x7f137a00ea38),<br>
>     doclose = NULL,<br>
>     ws = 0x7f1245e0a208 {<br>
>       [Already dumped, see above]<br>
>     },<br>
>     {rxbuf_b, rxbuf_e} = {0x7f1245e0c008, 0x7f1245e0cf01},<br>
>     {pipeline_b, pipeline_e} = {(nil), (nil)},<br>
>     content_length = -1,<br>
>     body_status = none,<br>
>     first_byte_timeout = 0.000000,<br>
>     between_bytes_timeout = 0.000000,<br>
>   },<br>
>   http[req] = 0x7f1245e0a2a0 {<br>
>     ws = 0x7f1245e0a208 {<br>
>       [Already dumped, see above]<br>
>     },<br>
>     hdrs {<br>
>       \"GET\",<br>
>       \"/api/rest/reviews/product/<wbr>6430\",<br>
>       \"HTTP/1.1\",<br>
>       \"Host: <a href="http://www.betabrand.com" rel="noreferrer" target="_blank">www.betabrand.com</a>\",<br>
>       \"Accept-Encoding: gzip\",<br>
>       \"CF-IPCountry: US\",<br>
>       \"CF-RAY: 3c50b2adfddd5a56-BOS\",<br>
>       \"CF-Visitor: {\"scheme\":\"https\"}\",<br>
>       \"user-agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_1_2 like Mac OS X)<br>
> AppleWebKit/604.3.5 (KHTML, like Gecko) Mobile/15B202<br>
> [FBAN/FBIOS;FBAV/<a href="http://150.0.0.32">150.0.0.32</a>.<wbr>132;FBBV/80278251;FBDV/<wbr>iPhone9,1;FBMD/iPhone;FBSN/<wbr>iOS;FBSV/11.1.2;FBSS/2;FBCR/<wbr>Verizon;FBID/phone;FBLC/en_US;<wbr>FBOP/5;FBRV/0]\",<br>
>       \"accept-language: en-us\",<br>
>       \"referer:<br>
> <a href="https://www.betabrand.com/womens/pants/dress-pant-yoga-pants-collection/womens-black-boot-flare-dress-pant-yoga-pants\" rel="noreferrer" target="_blank">https://www.betabrand.com/<wbr>womens/pants/dress-pant-yoga-<wbr>pants-collection/womens-black-<wbr>boot-flare-dress-pant-yoga-<wbr>pants\</a>",<br>
<br>
</div></div>For example:<br>
<br>
>       \"cookie: XXXXXXXX=<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXX;<br>
> XXXXXX=<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXXXXXXXXX;<br>
> XXXXXX=<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXX; XXXXXX=XXXXXXXXX;<br>
> XXXXXX=<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>X=XXXXXXXXXXXXXXX=<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXX=<wbr>XXXXXXXXXXXXXXXXXX=XXXXXXX;<br>
> XXX=<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXX; XXXXXXXXXXXXXXXXXX=X;<br>
> XXXX=<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXX;<br>
> XXXXXXXXXXX=<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXX;<br>
> XXXXXXXXXXXX=X;<br>
> XXXXXXXXXXXXXXXXX=<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXX;<br>
> XXXXXXXXXXXXXXXX=<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXX;<br>
> XXXXXXXXXXXXXXXXX=<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXX;<br>
> XXXXXXXXXXXXXXXXXXXXXXXX=<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXX;<br>
> XXXXXXXX=XXXXXXXXXXXXXX; XXXXXXX=XXXXXXXXXXXX; XXXXX=X;<br>
> XXXXXX=<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXX;<br>
> XXXXXXXX=<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXX;<br>
> XXXX=<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXX;<br>
> XXXXXXXXXXXXXXXXXXXXXXX=<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXX<br>
> XXX XX XXXX XXXXXXXX XXXXXXXX XXXXX;<br>
> XXXXXXXXXXXXXXXXXXXXXXXXXX=<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXX<br>
> XXX XX XXXX XXXXXXXX XXXXXXXX XXXXX;<br>
> XXXXXXXXXXXXXXXXXXX=<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXX;<br>
> XXXXXXXXXXXXXXXXXX=<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>X;<br>
> XXXXXXXXXXXXXXXX=<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXX;<br>
> XXXXXXXXXXXXXXX=<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXX;<br>
> XXXXX=<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXX;<br>
> XXXXXXXXXXXXXX=<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXX; XXXXXXXXXXXXXXXXXXXX=X;<br>
> XXXXXXXXXXXXXXXX=X; XXXXXXXXXX=X;<br>
> XXXXXXXXXXXXXXXXXXXXXXXX=<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXX<br>
> XXX XX XXXX XXXXXXXX XXXXXXXX XXXXX; XXXXXXXXXXXXXXXXXXXXXX=XXXX;<br>
> XXXXXXXX=<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXX; XXXXXXXXXXX=X;<br>
> XXXXXXXXXXX=X; XXXXXXXXXXXXXXXXX=<wbr>XXXXXXXXXXXXX;<br>
> XXXXXXXXXXXX=<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXX;<br>
> XXXXXXX=<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XX\",<br>
<br>
And anything sensitive in general like IP addresses...<br>
<div class="HOEnZb"><div class="h5"><br>
>       \"CF-Connecting-IP: <a href="tel:208.64.112.35" value="+12086411235">208.64.112.35</a>\",<br>
>       \"X-Forwarded-Proto: https\",<br>
>       \"Connection: close\",<br>
>       \"X-Request-Start: t=1511907453131\",<br>
>       \"X-Queue-Start: t=1511907453131\",<br>
>       \"X-Unique-ID: 0A800027:8911_0A2C2B04:01BB_<wbr>5A1DE07D_30A0ADB:0009\",<br>
>       \"X-Forwarded-For: 208.64.112.35, 10.128.0.39, 10.44.43.4,<br>
> 10.44.43.4\",<br>
>       \"X-PSA-Blocking-Rewrite: betabrand-pagespeed\",<br>
>       \"Accept: application/json\",<br>
>     },<br>
>   },<br>
>   vcl = {<br>
>     name = \"boot\",<br>
>     busy = 135,<br>
>     discard = 0,<br>
>     state = auto,<br>
>     temp = warm,<br>
>     conf = {<br>
>       srcname = {<br>
>         \"/etc/varnish/default.vcl\",<br>
>         \"Builtin\",<br>
>       },<br>
>     },<br>
>   },<br>
>   vmods = {<br>
>     std = {Varnish 5.2.0 4c4875cbf, 0.0},<br>
>     directors = {Varnish 5.2.0 4c4875cbf, 0.0},<br>
>   },<br>
>   flags = {<br>
>   },<br>
> },<br>
> thr.busyobj = (nil) {<br>
> },<br>
<br>
</div></div><span class="HOEnZb"><font color="#888888">Dridi<br>
</font></span></blockquote></div><br></div>