Page MenuHomePhabricator

The URL parameter maxage on index.php?action=raw accepts negative integers
Open, Needs TriagePublicBUG REPORT

Description

Steps to replicate the issue:
Execute

curl -is 'https://translatewiki.net/wiki/Project:About?action=raw&maxage=-42' | grep -i cache-control

with a negative integer in the URL parameter maxage.
What happens?:
The result is

cache-control: public, s-maxage=0, max-age=-42

with a negative value in the attribute max-age of the HTTP header field Cache-Control.

What should have happened instead?:
A negative integer in the attribute max-age of the HTTP header field Cache-Control is a not allowed value, because according to https://www.rfc-editor.org/rfc/rfc9111.html#delta-seconds the value must be a non-negative integer:

The delta-seconds rule specifies a non-negative integer, representing time in seconds.

delta-seconds  = 1*DIGIT

The URL parameter maxage with a negative integer should be ignored.

Current behavior:

On omitted parameter the default value 18000 from CdnMaxAge is used:

$ curl -is 'https://translatewiki.net/wiki/Project:About?action=raw' | grep -i cache-control
cache-control: public, s-maxage=0, max-age=18000

On invalid values like foo the value 0 is used:

$ curl -is 'https://translatewiki.net/wiki/Project:About?action=raw&maxage=foo' | grep -i cache-control
cache-control: public, s-maxage=0, max-age=0

On floating point values (like 3.14) the integer value (like 3) is used:

$ curl -is 'https://translatewiki.net/wiki/Project:About?action=raw&maxage=3.14' | grep -i cache-control
cache-control: public, s-maxage=0, max-age=3

Leading spaces and tabs and leading zeros and trailing random values (like 0042f o o) are ignored (like 42):

$ curl -is 'https://translatewiki.net/wiki/Project:About?action=raw&maxage=%20%090042f%20o%20o' | grep -i cache-control
cache-control: public, s-maxage=0, max-age=42

This replacement behavior doesn't violate the HTTP specification, but I think this is an unnecessary feature. I suggest to accept only values that matches to 1*DIGIT and all other values should be ignored and the default value 18000 from CdnMaxAge should be used.