ZF-5532: Zend_Cache_Frontend_Page - possible DOS risk...strip get variables from $_SERVER['REQUEST_URI'] when making ID

Issue Type: Bug Created: 2009-01-12T12:59:32.000+0000 Last Updated: 2009-04-21T12:25:00.000+0000 Status: Resolved Fix version(s): - 1.8.0 (30/Apr/09)

Reporter: John Brown (johniskew) Assignee: Fabien MARTY (fab) Tags: - Zend_Cache

Related issues: Attachments:


Say that I set the frontend options of Zend_Cache_Frontend_Page with 'make_id_with_get_variables' to false ...

Intuitively, I would assume that the same cache ID/file would be created for any of the following GET requests: /page.php /page.php?var=1 /page.php?var=77&var2=22

And I assumed that only ONE cache file would be created for page.php, regardless of the GET variables tagged onto the end of the request. However for each of the three examples above, I get 3 separate cache files stored.

The reason is because the REQUEST_URI used as the cache ID - which includes the GET variables anyway. So, setting 'make_id_with_get_variables' to false is moot, as each of the three URIs above are already unique BECAUSE of their GET variables.

The ID name should be based off of the requested URI with the QUERY_STRING stripped off.
With that configuration: 1) make_id_with_get_variables = false would only save ONE cache file for the above URIs 1) make_id_with_get_variables = true would save ONE cache file for each unique query string request

This issue could also bring about risk of DOS attack. With 'make_id_with_get_variables' to false, an attacker could constantly query urls like: /page.php?var=randomString Which could fill up the file space, even though the GET variables should have no effect on the name of the cache file. (Yes this could happen in other types of cache setups as well, but in this specific case it should not be happening).


Posted by John Brown (johniskew) on 2009-03-18T06:53:09.000+0000

Added in DOS possibility, and clarified some of the explanation. Originally I put "improvement" by mistake.

Posted by Fabien MARTY (fab) on 2009-03-29T00:56:35.000+0000

I just commited a fix into SVN trunk, can you try it ?

If it's ok for you, I will backport on the 1.7 branch


Posted by John Brown (johniskew) on 2009-04-21T12:08:27.000+0000

Sorry for the delay...I think its fixed!

Have you found an issue?

See the Overview section for more details.


© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.