archweb icon indicating copy to clipboard operation
archweb copied to clipboard

Published 20 hours ago verified publisher icon archlinux

Cache the mirrorstatus json without potentially leaking secrets

Open jelly opened this issue 4 years ago • 1 comments

The mirror status json endpoint behaves different if an authenticated user or normal user query it, making caching it return either the wrong data or sensitive data.

https://github.com/archlinux/archweb/commit/205ebb8f40982fe0c7b5b37af32b813ccaa012d2

jelly avatar Jul 25 '21 10:07 jelly

Seems the django cache framework does not have an easy way to cache depending on the authenticated header, I've only found this decorator. As the main /mirrors/status/json feed is cached by nginx this issue's priority is low.

jelly avatar Sep 12 '21 09:09 jelly