On Wed, Aug 12, 2009 at 11:47:31AM +0900, Kuramoto Eiji wrote:

> Hi,
>
> The proxy_cache module send cached contents until it's expired
> even if a client send wrong user/password after passed first (401)
> authentication. It might be a bug ... ?

I agree that nginx should not cache authenticated responses. However,
it should be configured, otherwise, anyone may flush cache with dummy
an "Authorization" header.

> small patch like this,
>
>
> --- ngx_http_upstream.c 22 Jul 2009 04:01:25 -0000 1.7
> +++ ngx_http_upstream.c 11 Aug 2009 10:01:41 -0000 1.8
> @@ -397,7 +397,18 @@
>
> #if (NGX_HTTP_CACHE)
>
> + /*
> + * don't cache when Authorization header presents.
> + */
> + if (u->conf->cache
> + && r->headers_in.authorization == NULL
> + && r->headers_in.user.data == NULL /* don't check 'len' for empty user/passwd */
> + && r->headers_in.passwd.data == NULL) {
> ngx_int_t rc;
>
> rc = ngx_http_upstream_cache(r, u);
>
> - Kuramoto Eiji

--
Igor Sysoev
http://sysoev.ru/en/