Closed akolinski closed 7 years ago
The cache can indeed be bloated by malformed or malicious urls, however it is not the job of a caching layer to police the routes into an application. You should ensure that non-valid urls always return a 404 response.
This can be handled in EE templates:
{!-- no results --}
{if no_results}
{redirect="404"}
{/if}
{!-- additional segments --}
{if segment_4}
{redirect="404"}
{/if}
But I highly recommend using Resource Router to define and validate known routes:
'blog/:url_title' => function($router, $wildcard) {
// valid blog entry (channel 2)?
if ($wildcard->isValidUrlTitle(array('channel_id' => 2))) {
// route to template
$router->setTemplate('blog/post');
}
},
// any other rules here
// send any other non-matching routes to 404
'.*' => function($router) {
$router->set404();
},
If you want to specify a specific name and context for a full-page cache you can use {exp:stash:set}
:
{exp:stash:set
name="my_name"
context="my_context"
scope="site"
save="yes"
parse="yes"
parse_depth="4"
refresh="0"
replace="no"
output="yes"
}
// stuff to cache
{/exp:stash:set}
Please see the resource router and caching sections of this presentation for further guidance: https://speakerdeck.com/croxton/stash-the-right-way
When viewing which variables are created when using the
{exp:stash:cache}
tag within Mustash you can create URIs that return a page (e.g. when using{last_segment}
to select the entry) so it doesn't return a 404 but isn't a correctly formed URI e.g. correct path = domain.com/path1/entry_url_title, incorrect but working domain.com/path2/entry_url_title. For each unique URI a cache entry is created in the database.Even when using context and name parameters, rather than
@URI
it appears to generate a cache entry because the URI is different.{exp:stash:cache bundle="mybundle" context="the_context" name="{last_segment}" refresh="1440" parse_stage="both"}
This appears to create an attack vector for filling a database server with bogus cache entries.
You can fix this with a patch to line 2668 within mod.stash.php. I've also created a pull request https://github.com/croxton/Stash/pull/150.
$this->EE->TMPL->tagparams['context'] = $this->EE->TMPL->fetch_param('context', '@URI');
Happy to discuss further 👍