Mailing List Archive

Hi Rudd,

Sorry for the delay, for some reason your email ended up in my spam folder,
I just saw it today.

Cache poisoning is a vast subject, and in absence of more context the
answer to your question is probably going to be "yes, but no but still,
intrinsically yes".

Yes, because you can mess up your configuration with something like:
sub vcl_hash {
hash_data("foo");
return(lookup);
}
and boom, all objects are basically going to be cached under the same cache
key, which is super bad, don't do that.
The freedom you get through configuration can turn against you. Here's my
favorite example to explain it:
sub vcl_hash {
hash_data(req.url);
hash_data(req.http.host);
if (req.http.a) {
hash_data(req.http.a);
}
if (req.http.b) {
hash_data(req.http.b)
}
return(lookup);
}
Which isn't nearly as dumb as the original example, but which will hash
these two requests the same way:
curl example.com/foo -H "a: bar"
curl example.com/foo -H "b: bar"
And if somebody knows about how you hash your object and there's a similar
flaw in the hashing logic, you can get cache

No, because Varnish is an extremely secure piece of software with an
excellent security track record and I don't think it ever got a CVE that
poisoned the cache. not to say it can't/won't happen, but sometimes past
performance is a good indicator of future results.

So, even though the software is safe and secure, you can still shoot
yourself in the foot if you want to (or are not careful). Thousands of
cases of cache poisoning happens yearly because somebody forgot to tell
their CDN that the querystring needs to be part of the cache key AND sorted.

Hopefully this helps, let me know if you have more context to narrow the
scope of that very vast topic :-)

Ah, and while I'm here: please don't use massively antiquated Varnish
versions. 4.1 has been EOL a while ago, it's really not recommended to use.

Cheers,

--
Guillaume Quintard


On Fri, Oct 27, 2023 at 12:54?AM <ruud.peters@kpn.com> wrote:

> Hi,
>
>
>
> Is there anything known that Varnish has problems with cache poisening?
> And if yes, how can this be avoided in the config?
>
> We are running a old version of Varnish (varnish-4.1.8 revision d266ac5c6)
>
>
>
>
>
> Met vriendelijke groet / With kind regards,
>
>
>
>
>
> *Ruud Peters*
>
> *Technisch Beheerder TAM3*
>
> Integration SA DevOps 3
>
>
>
> Email : ruud.peters@kpn.com
>
> Phone : +31630736741
>
>
>
> Stationsplein 18 6221 BT, Maastricht
>
>
> (On Mondays and Thursdays I’m in the office until about 14:00)
>
>
>
> Handelsregister KvK Den Haag
>
> Nr. 27124701
>
>
>
> [image: twitter]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_kpn&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=SHw-AgeWmMkMA0HlnhzHhxKjC0-3ZvNfsNAC7uRfT_M&m=PPlxN7TMhT2xr2QgTxCcLKJXrujT3E_BtoULxbTfOuU&s=__LlIYz1us6athyMaicWUENl0eXliwsKc6ZOuLjthxA&e=>[image:
> facebook]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_kpn&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=SHw-AgeWmMkMA0HlnhzHhxKjC0-3ZvNfsNAC7uRfT_M&m=PPlxN7TMhT2xr2QgTxCcLKJXrujT3E_BtoULxbTfOuU&s=Zxz20RO2KypBQqvxBL2tDdL29IvpFS3LvGxQrytAtdY&e=>[image:
> linkedin]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_company_kpn&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=SHw-AgeWmMkMA0HlnhzHhxKjC0-3ZvNfsNAC7uRfT_M&m=PPlxN7TMhT2xr2QgTxCcLKJXrujT3E_BtoULxbTfOuU&s=CJB3bkdHr0lzGaD_Jwd6PDj5r4RpEXY-YqKEP9Z0DVg&e=>[image:
> youtube]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.youtube.com_user_KPN&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=SHw-AgeWmMkMA0HlnhzHhxKjC0-3ZvNfsNAC7uRfT_M&m=PPlxN7TMhT2xr2QgTxCcLKJXrujT3E_BtoULxbTfOuU&s=qsRYQVgKH5enM9ot1yuxgeDHFD_rMJZQ1D8WtoKznkA&e=>
>
>
> _______________________________________________
> varnish-misc mailing list
> varnish-misc@varnish-cache.org
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
>