BUG/MEDIUM: cache: don't cache when an Authorization header is present

RFC 7234 says:

A cache MUST NOT store a response to any request, unless:
[...] the Authorization header field (see Section 4.2 of [RFC7235]) does
      not appear in the request, if the cache is shared, unless the
      response explicitly allows it (see Section 3.2), [...]

In this patch we completely disable the cache upon the receipt of an
Authorization header in the request. In this case it's not possible to
either use the cache or store into the cache anymore.

Thanks to Adam Eijdenberg of Digital Transformation Agency for raising
this issue.

This patch must be backported to 1.8.

doc/configuration.txt

@@ -17265,6 +17265,7 @@ The cache won't store and won't deliver objects in these cases:
 
 - If the request is not a GET
 - If the HTTP version of the request is smaller than 1.1
+- If the request contains an Authorization header
 
 Caution!: Due to the current limitation of the filters, it is not recommended
 to use the cache with other filters. Using them can cause undefined behavior

src/proto_http.c

@@ -7737,6 +7737,15 @@ void check_request_for_cacheability(struct stream *s, struct channel *chn)
 			}
 		}
 
+		/* Don't use the cache and don't try to store if we found the
+		 * Authorization header */
+		val = http_header_match2(cur_ptr, cur_end, "Authorization", 13);
+		if (val) {
+			txn->flags &= ~TX_CACHEABLE & ~TX_CACHE_COOK;
+			txn->flags |= TX_CACHE_IGNORE;
+			continue;
+		}
+
 		val = http_header_match2(cur_ptr, cur_end, "Cache-control", 13);
 		if (!val)
 			continue;