Closed chrismwendt closed 5 years ago
@slimsag I added you as a reviewer to help expedite the review of this change since it got bumped in priority today https://sourcegraph.slack.com/archives/C0C324C91/p1554427053097800?thread_ts=1554425326.073300&cid=C0C324C91
Thanks, @slimsag. I left urlString
because both u
and url
are used for other variables.
If the cache key does not include the user/auth info, is there a way as user A I can possibly get data returned that was cached for user B, without being authorised to see that data?
If the cache key does not include the user/auth info, is there a way as user A I can possibly get data returned that was cached for user B, without being authorised to see that data?
go-langserver checks for permission before reading from the cache:
Prior to this change, the cache key was the full URL, including whatever username:password was set (e.g. the Sourcegraph access token).
After this change, the cache key will be the URL but with empty username:password.
This will increase the probability of a cache hit because each repo@revision will be fetched once and used by any user.
A
HEAD
request is still made for each user x repo@revision pair to make sure the user has access to the repository contents.fix
https://github.com/sourcegraph/sourcegraph/issues/1940cc @beyang just FYI, no action necessary