From b3d4bca415ab90108b29b232a4ae7a892d4c48ec Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Mon, 25 Feb 2019 10:59:33 +0100 Subject: [PATCH] BUG/MEDIUM: cache: Get objects from the cache only for GET and HEAD requests Only responses for GET requests are stored in the cache. But there is no check on the method during the lookup. So it is possible to retrieve an object from the cache independently of the method, from the time the key of the object matches. Now, lookups are performed only for GET and HEAD requests. This patch must be backportedi in 1.9. --- src/cache.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/cache.c b/src/cache.c index 074c43bc4..f1ad3c7e2 100644 --- a/src/cache.c +++ b/src/cache.c @@ -1401,10 +1401,17 @@ enum act_return http_action_req_cache_use(struct act_rule *rule, struct proxy *p struct session *sess, struct stream *s, int flags) { + struct http_txn *txn = s->txn; struct cache_entry *res; struct cache_flt_conf *cconf = rule->arg.act.p[0]; struct cache *cache = cconf->c.cache; + /* Ignore cache for HTTP/1.0 requests and for requests other than GET + * and HEAD */ + if (!(txn->req.flags & HTTP_MSGF_VER_11) || + (txn->meth != HTTP_METH_GET && txn->meth != HTTP_METH_HEAD)) + txn->flags |= TX_CACHE_IGNORE; + if (IS_HTX_STRM(s)) htx_check_request_for_cacheability(s, &s->req); else