Hi Rudd, Sorry for the delay, for some reason your email ended up in my spam folder, I just saw it today.
Cache poisoning is a vast subject, and in absence of more context the answer to your question is probably going to be "yes, but no but still, intrinsically yes". Yes, because you can mess up your configuration with something like: sub vcl_hash { hash_data("foo"); return(lookup); } and boom, all objects are basically going to be cached under the same cache key, which is super bad, don't do that. The freedom you get through configuration can turn against you. Here's my favorite example to explain it: sub vcl_hash { hash_data(req.url); hash_data(req.http.host); if (req.http.a) { hash_data(req.http.a); } if (req.http.b) { hash_data(req.http.b) } return(lookup); } Which isn't nearly as dumb as the original example, but which will hash these two requests the same way: curl example.com/foo -H "a: bar" curl example.com/foo -H "b: bar" And if somebody knows about how you hash your object and there's a similar flaw in the hashing logic, you can get cache No, because Varnish is an extremely secure piece of software with an excellent security track record and I don't think it ever got a CVE that poisoned the cache. not to say it can't/won't happen, but sometimes past performance is a good indicator of future results. So, even though the software is safe and secure, you can still shoot yourself in the foot if you want to (or are not careful). Thousands of cases of cache poisoning happens yearly because somebody forgot to tell their CDN that the querystring needs to be part of the cache key AND sorted. Hopefully this helps, let me know if you have more context to narrow the scope of that very vast topic :-) Ah, and while I'm here: please don't use massively antiquated Varnish versions. 4.1 has been EOL a while ago, it's really not recommended to use. Cheers, -- Guillaume Quintard On Fri, Oct 27, 2023 at 12:54 AM <ruud.pet...@kpn.com> wrote: > Hi, > > > > Is there anything known that Varnish has problems with cache poisening? > And if yes, how can this be avoided in the config? > > We are running a old version of Varnish (varnish-4.1.8 revision d266ac5c6) > > > > > > Met vriendelijke groet / With kind regards, > > > > > > *Ruud Peters* > > *Technisch Beheerder TAM3* > > Integration SA DevOps 3 > > > > Email : ruud.pet...@kpn.com > > Phone : +31630736741 > > > > Stationsplein 18 6221 BT, Maastricht > > > (On Mondays and Thursdays I’m in the office until about 14:00) > > > > Handelsregister KvK Den Haag > > Nr. 27124701 > > > > [image: twitter] > <https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_kpn&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=SHw-AgeWmMkMA0HlnhzHhxKjC0-3ZvNfsNAC7uRfT_M&m=PPlxN7TMhT2xr2QgTxCcLKJXrujT3E_BtoULxbTfOuU&s=__LlIYz1us6athyMaicWUENl0eXliwsKc6ZOuLjthxA&e=>[image: > facebook] > <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_kpn&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=SHw-AgeWmMkMA0HlnhzHhxKjC0-3ZvNfsNAC7uRfT_M&m=PPlxN7TMhT2xr2QgTxCcLKJXrujT3E_BtoULxbTfOuU&s=Zxz20RO2KypBQqvxBL2tDdL29IvpFS3LvGxQrytAtdY&e=>[image: > linkedin] > <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_company_kpn&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=SHw-AgeWmMkMA0HlnhzHhxKjC0-3ZvNfsNAC7uRfT_M&m=PPlxN7TMhT2xr2QgTxCcLKJXrujT3E_BtoULxbTfOuU&s=CJB3bkdHr0lzGaD_Jwd6PDj5r4RpEXY-YqKEP9Z0DVg&e=>[image: > youtube] > <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.youtube.com_user_KPN&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=SHw-AgeWmMkMA0HlnhzHhxKjC0-3ZvNfsNAC7uRfT_M&m=PPlxN7TMhT2xr2QgTxCcLKJXrujT3E_BtoULxbTfOuU&s=qsRYQVgKH5enM9ot1yuxgeDHFD_rMJZQ1D8WtoKznkA&e=> > > > _______________________________________________ > varnish-misc mailing list > varnish-misc@varnish-cache.org > https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc >
_______________________________________________ varnish-misc mailing list varnish-misc@varnish-cache.org https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc