vrt: Enable BREACH mitigation for resp_top

varnishcache · Jul 10, 2024 · b73e190 · b73e190
1 parent 06371b9
commit b73e190
Show file tree

Hide file tree

Showing 2 changed files with 52 additions and 3 deletions.
diff --git a/bin/varnishd/cache/cache_vrt_filter.c b/bin/varnishd/cache/cache_vrt_filter.c
@@ -404,9 +404,12 @@ resp_default_filter_list(void *arg, struct vsb *vsb)
 
 	if (cache_param->http_gzip_support &&
 	    req->objcore != NULL &&
-	    ObjCheckFlag(req->wrk, req->objcore, OF_GZIPED) &&
-	    !RFC2616_Req_Gzip(req->http))
-		VSB_cat(vsb, " gunzip");
+	    ObjCheckFlag(req->wrk, req->objcore, OF_GZIPED)) {
+		if (!RFC2616_Req_Gzip(req->http))
+			VSB_cat(vsb, " gunzip");
+		else if (FEATURE(FEATURE_GZIP_BREACH))
+			VSB_cat(vsb, " gzip_breach");
+	}
 
 	if (cache_param->http_range_support &&
 	    http_GetStatus(req->resp) == 200 &&

diff --git a/bin/varnishtest/tests/b00085.vtc b/bin/varnishtest/tests/b00085.vtc
@@ -0,0 +1,46 @@
+varnishtest "Heal-the-BREACH mitigation during delivery"
+
+server s1 {
+	rxreq
+	txresp -gziplen 4001
+} -start
+
+varnish v1 -cliok "param.set feature +gzip_breach"
+varnish v1 -vcl+backend "" -start
+
+varnish v1 -cliok "debug.srandom"
+
+client c1 {
+	txreq -hdr "accept-encoding: gzip"
+	rxresp
+	expect resp.bodylen == 4119
+	gunzip
+	expect resp.bodylen == 4001
+
+	txreq -hdr "accept-encoding: gzip"
+	rxresp
+	expect resp.bodylen == 4243
+	gunzip
+	expect resp.bodylen == 4001
+
+	txreq -hdr "accept-encoding: gzip"
+	rxresp
+	expect resp.bodylen == 4347
+	gunzip
+	expect resp.bodylen == 4001
+
+	txreq -hdr "accept-encoding: gzip"
+	rxresp
+	expect resp.bodylen == 4292
+	gunzip
+	expect resp.bodylen == 4001
+
+	txreq -hdr "accept-encoding: gzip"
+	rxresp
+	expect resp.bodylen == 4139
+	gunzip
+	expect resp.bodylen == 4001
+} -run
+
+varnish v1 -expect cache_miss == 1
+varnish v1 -expect cache_hit == 4