Uploaded image for project: 'Documentation'
  1. Documentation
  2. DOCU-2300

Web Cache Poisoning

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Done
    • Neutral
    • None
    • None
    • None
    • None

    Description

      Not sure where exactly to place this, but it there's a hole that is easy to get yourself in for all developers and it's tough to discover when you are when it happens, so it should probably be mentioned/linked from multiple places.

      --------

      When developing web pages templates, one needs to use various inputs such as content , language, request parameters or user information when authenticated. For all those attributes, Magnolia takes care and includes them in the cache headers to ensure unique cache entries are generated for all variants of the attributes that occur.

      Sometimes however it is necessary to also use more exotic or less obvious variables to steer generated html. It might be certain header values or date/time or other input. When using such more exotic parameters, it is necessary for developers to consider impact of the input on cache validity to prevent web cache poisoning.

      Imagine using referer (yes, the name is misspelled; see the spec) header to change the teaser image link on the page. Once this is rendered, by default, the result is cached and is then used for all other incoming requests (as long as cache entry is valid), regardless or their referer header. Depending on the content that is rendered it might be issue or not, but again imagine someone finds a way to pass malicious content through such referer header which then gets rendered for all incoming requests that come trusting to get your content. This is what is called Web Cache Poisoning.

       

      To prevent the issue, it is necessary for developer to consider all the input that goes into rendering the response and where it comes from. And if such input is originating from the request, it needs to be either

      • included in the cache key to allow Magnolia to generate independent cache entry from it or
      • component rendering such content needs to be marked as dynamic and excluded from the cache (see DPC for more details)
      • whole page needs to be excluded from the cache.

       

       

      Checklists

        Acceptance criteria

        Attachments

          Issue Links

            Activity

              People

                mdrapela Martin Drápela
                had Jan Haderka
                Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: