Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-31607

Insecure default value of Varnish invalidate token

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Critical
    • Resolution: Done
    • Affects Version/s: 3.0.2
    • Fix Version/s: 3.2.0, 3.0.7, 3.1.2
    • Component/s: Platform > HTTPCache
    • Labels:
      None
    • Environment:

      Platform.sh

    • Sprint:
      [3.2] - Sprint 2

      Description

      On Platform.sh varnish is purged using a token. This token used to have a random value by default, unless other value was specified.
      https://github.com/ezsystems/ezplatform/blob/master/config/packages/overrides/platformsh.php#L142

      But now we have a default value for HTTPCACHE_VARNISH_INVALIDATE_TOKEN in .env file (https://github.com/ezsystems/ezplatform/blob/master/.env#L55) and it's used instead when deploying to Platform.sh

      Summary:
      Default value of Varnish purge token in the past:
      It was based on $_SERVER['PLATFORM_PROJECT_ENTROPY'] value

      Default value of Varnish purge token now:
      It's equal to the value specified in .env, which is ~.

      I believe it can be confusing for people who are used to "secure" default values (and do not configure their own), which can lead to issues such as https://jira.ez.no/browse/EZP-31353 (because people will be using the ~ token).
       
      We're treating this as a security improvement, not a bug, since it's about default values, which project admins are expected to change in any case.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            marek.nocon@ez.no Marek Nocoń
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: