ZF-5532: Zend_Cache_Frontend_Page - possible DOS risk...strip get variables from $_SERVER['REQUEST_URI'] when making ID

Description

Say that I set the frontend options of Zend_Cache_Frontend_Page with 'make_id_with_get_variables' to false ...

Intuitively, I would assume that the same cache ID/file would be created for any of the following GET requests: /page.php /page.php?var=1 /page.php?var=77&var2=22

And I assumed that only ONE cache file would be created for page.php, regardless of the GET variables tagged onto the end of the request. However for each of the three examples above, I get 3 separate cache files stored.

The reason is because the REQUEST_URI used as the cache ID - which includes the GET variables anyway. So, setting 'make_id_with_get_variables' to false is moot, as each of the three URIs above are already unique BECAUSE of their GET variables.

The ID name should be based off of the requested URI with the QUERY_STRING stripped off.
With that configuration: 1) make_id_with_get_variables = false would only save ONE cache file for the above URIs 1) make_id_with_get_variables = true would save ONE cache file for each unique query string request

This issue could also bring about risk of DOS attack. With 'make_id_with_get_variables' to false, an attacker could constantly query urls like: /page.php?var=randomString Which could fill up the file space, even though the GET variables should have no effect on the name of the cache file. (Yes this could happen in other types of cache setups as well, but in this specific case it should not be happening).

Comments

Added in DOS possibility, and clarified some of the explanation. Originally I put "improvement" by mistake.

I just commited a fix into SVN trunk, can you try it ?

If it's ok for you, I will backport on the 1.7 branch

thanks

Sorry for the delay...I think its fixed!