BUG/MEDIUM: cache: don't cache when an Authorization header is present
RFC 7234 says:
A cache MUST NOT store a response to any request, unless:
[...] the Authorization header field (see Section 4.2 of [RFC7235]) does
not appear in the request, if the cache is shared, unless the
response explicitly allows it (see Section 3.2), [...]
In this patch we completely disable the cache upon the receipt of an
Authorization header in the request. In this case it's not possible to
either use the cache or store into the cache anymore.
Thanks to Adam Eijdenberg of Digital Transformation Agency for raising
this issue.
This patch must be backported to 1.8.
diff --git a/src/proto_http.c b/src/proto_http.c
index 3adb54f..efa6d6a 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -7737,6 +7737,15 @@
}
}
+ /* Don't use the cache and don't try to store if we found the
+ * Authorization header */
+ val = http_header_match2(cur_ptr, cur_end, "Authorization", 13);
+ if (val) {
+ txn->flags &= ~TX_CACHEABLE & ~TX_CACHE_COOK;
+ txn->flags |= TX_CACHE_IGNORE;
+ continue;
+ }
+
val = http_header_match2(cur_ptr, cur_end, "Cache-control", 13);
if (!val)
continue;