Hi,
AFAICT the vulnerability is introduced in:
https://github.com/varnishcache/varnish-cache/commit/62932b422f311ed1224f14a216169bcdc1b77a2d
(removed "req->err_reason = NULL;")
The reproducer below doesn't leak with the prior commit, and leaks with
that commit as well as stretch/5.0.0.
Jessie/4.0.0 predates and the reproducer doesn't leak either.
I believe my job here is done :)
-----
vcl 4.0;
backend default {
.host = "127.0.0.1";
.port = "80";
}
sub vcl_recv {
if (req.url == "/prime") {
set req.http.temp = "super";
set req.http.secret = req.http.temp + "secret";
return (synth(200, req.http.secret));
}
}
sub vcl_deliver {
if (req.url == "/test1") {
return (restart);
}
}
-----
curl localhost:6081/prime localhost:6081/test1
