Skip to content

[vcl] don't explicitly hash the host header #28928

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 21, 2020
Merged

[vcl] don't explicitly hash the host header #28928

merged 2 commits into from
Oct 21, 2020

Conversation

gquintard
Copy link
Contributor

@gquintard gquintard commented Jun 30, 2020
edited by m2-assistant bot
Loading

Hashing req.http.host/client.ip is already handled by the built-in
vcl
so there's no need to repeat it explicitly.

It's also a bit confusing as req.url is not explicitly handled, even
though it's a more important hash input than the host.

note: all versions have been changed for the sake of consistency
but both the 4.x and 5.x series have been EOL'd a (long) while ago and users
should be encouraged to upgraded as soon as possible.

Contribution checklist (*)

  • Pull request has a meaningful description of its purpose
  • All commits are accompanied by meaningful commit messages
  • All new or changed code is covered with unit/integration tests (if applicable)
  • All automated tests passed successfully (all builds are green)

Resolved issues:

  1. resolves [Issue] [vcl] don't explicitly hash the host header #29988: [vcl] don't explicitly hash the host header

[vcl] don't explicitly hash the host header
7660725 
Hashing `req.http.host`/`client.ip` is already handled by the [built-in
vcl](https://github.com/varnishcache/varnish-cache/blob/6.0/bin/varnishd/builtin.vcl#L86)
so there's no need to repeat it explicitly.

It's also a bit confusing as `req.url` is not explicitly handled, even
though it's a more important hash input than the host.

note: all versions have been changed for the sake of consistency
but both the 4.x and 5.x series have been EOL'd a (long) while ago and users
should be encouraged to upgraded as soon as possible.
@m2-assistant
Copy link

m2-assistant bot commented Jun 30, 2020

Hi @gquintard. Thank you for your contribution
Here is some useful tips how you can test your changes using Magento test environment.
Add the comment under your pull request to deploy test or vanilla Magento instance:

  • @magento give me test instance - deploy test instance based on PR changes
  • @magento give me 2.4-develop instance - deploy vanilla Magento instance

❗ Automated tests can be triggered manually with an appropriate comment:

  • @magento run all tests - run or re-run all required tests against the PR changes
  • @magento run <test-build(s)> - run or re-run specific test build(s)
    For example: @magento run Unit Tests

<test-build(s)> is a comma-separated list of build names. Allowed build names are:

  1. Database Compare
  2. Functional Tests CE
  3. Functional Tests EE,
  4. Functional Tests B2B
  5. Integration Tests
  6. Magento Health Index
  7. Sample Data Tests CE
  8. Sample Data Tests EE
  9. Sample Data Tests B2B
  10. Static Tests
  11. Unit Tests
  12. WebAPI Tests

You can find more information about the builds here

ℹ️ Please run only needed test builds instead of all when developing. Please run all test builds before sending your PR for review.

For more details, please, review the Magento Contributor Guide documentation.

@gquintard
Copy link
Contributor Author

@magento run all tests

lbajsarowicz
lbajsarowicz approved these changes Jun 30, 2020
View reviewed changes
Copy link
Contributor

@lbajsarowicz lbajsarowicz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice catch!

@ghost ghost assigned lbajsarowicz Jun 30, 2020
@magento-engcom-team
Copy link
Contributor

Hi @lbajsarowicz, thank you for the review.
ENGCOM-7759 has been created to process this Pull Request
✳️ @lbajsarowicz, could you please add one of the following labels to the Pull Request?

Label Description
Auto-Tests: Covered All changes in Pull Request is covered by auto-tests
Auto-Tests: Not Covered Changes in Pull Request requires coverage by auto-tests
Auto-Tests: Not Required Changes in Pull Request does not require coverage by auto-tests

@magento-engcom-team
Copy link
Contributor

@gquintard thank you for contributing. Please accept Community Contributors team invitation here to gain extended permissions for this repository.

@gquintard
Copy link
Contributor Author

@magento run all tests

@engcom-Alfa engcom-Alfa mentioned this pull request Jul 24, 2020
Merged
4 tasks
@lbajsarowicz lbajsarowicz added the Auto-Tests: Not Required Changes in Pull Request does not require coverage by auto-tests label Jul 24, 2020
@lbajsarowicz
Copy link
Contributor

Automated Tests are not applicable, as the change is related to infrastructure configuration.

@gquintard gquintard mentioned this pull request Aug 2, 2020
Closed
4 tasks
@sdzhepa sdzhepa added the Triage: Dev.Experience Issue related to Developer Experience and needs help with Triage to Confirm or Reject it label Aug 11, 2020
@sidolov sidolov added Priority: P4 No current plan to fix. Fixing can be deferred as a logical part of more important work. Severity: S4 Affects aesthetics, professional look and feel, “quality” or “usability”. Cleanup labels Sep 10, 2020
@sidolov
Copy link
Contributor

sidolov commented Sep 10, 2020

@magento create issue

@m2-assistant m2-assistant bot mentioned this pull request Sep 10, 2020
Closed
4 tasks
@engcom-Bravo
Copy link
Contributor

Dev experience is required for testing of this PR. Please note that Manual testing has not been performed.

@engcom-Charlie engcom-Charlie self-assigned this Oct 6, 2020
@engcom-Charlie
Copy link
Contributor

✔️ QA Passed

Hashing is already handled by the built-in vcl starting from varnish 4.0.
Magento-supported varnish versions are 4.x, 5.2 or 6.x (see https://devdocs.magento.com/guides/v2.4/config-guide/varnish/config-varnish-install.html).

@engcom-Charlie engcom-Charlie added the QA: Ready to add to Regression Scope Should be analyzed and added to Regression Testing Scope(if applicable) label Oct 7, 2020
@engcom-Alfa engcom-Alfa added QA: Added to Regression Scope Scenario was analysed and added to Regression Testing Scope and removed QA: Ready to add to Regression Scope Should be analyzed and added to Regression Testing Scope(if applicable) labels Oct 15, 2020
magento-engcom-team pushed a commit that referenced this pull request Oct 21, 2020
@gabrieldagama
ENGCOM-7759: [vcl] don't explicitly hash the host header #28928
2d006d8
@magento-engcom-team magento-engcom-team merged commit 69a0b41 into magento:2.4-develop Oct 21, 2020
@m2-assistant
Copy link

m2-assistant bot commented Oct 21, 2020

Hi @gquintard, thank you for your contribution!
Please, complete Contribution Survey, it will take less than a minute.
Your feedback will help us to improve contribution process.

gquintard added a commit to gquintard/magento2 that referenced this pull request Sep 4, 2023
@gquintard
note: this commit depends on magento#28928
0d83d5a 
Conditional hashing can lead to collisions and should be avoided. As an
example, this code:

``` vcl
sub vcl_hash {
	if (req.http.a) {
		hash_data(req.http.a);
	}
	if (req.http.b) {
		hash_data(req.http.b);
	}
}
```

will return the same hash for these two requests:

```
GET / HTTP/1.1
a: foo
```

and

```
GET / HTTP/1.1
b: foo
```

whereas

``` vcl
sub vcl_hash {
	hash_data(req.http.a);
	hash_data(req.http.b);
}
```

is correct and simpler.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lbajsarowicz lbajsarowicz lbajsarowicz approved these changes

Assignees

@lbajsarowicz lbajsarowicz

@engcom-Bravo engcom-Bravo

@engcom-Charlie engcom-Charlie

Labels
Auto-Tests: Not Required Changes in Pull Request does not require coverage by auto-tests Award: category of expertise Cleanup Component: PageCache Priority: P4 No current plan to fix. Fixing can be deferred as a logical part of more important work. Progress: accept QA: Added to Regression Scope Scenario was analysed and added to Regression Testing Scope Release Line: 2.4 Severity: S4 Affects aesthetics, professional look and feel, “quality” or “usability”. Triage: Dev.Experience Issue related to Developer Experience and needs help with Triage to Confirm or Reject it
Projects
Pull Requests Dashboard
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Issue] [vcl] don't explicitly hash the host header
8 participants
@gquintard @magento-engcom-team @lbajsarowicz @sidolov @engcom-Bravo @engcom-Charlie @sdzhepa @engcom-Alfa