Hi all,
This is more of question, rather than a bug report.
I've noticed that the Drupal cache using the query string (as well as the path) when constructing the cache_page key. This can result in the same page being unnecessarily cached several times.
eg. www.example.com/about will be cached separately to www.example.com/about?x=y or www.example.com/about?x=z
Obviously this is needed in order to cache pages where the query string is needed, eg. paginated pages. However, does this potentially open the site up to abuse / misuse by a malicious user?
For example, what if someone wrote a simple script to call a URL on your site with an increasing counter in the query string, example:
www.example.com/about?x=1
www.example.com/about?x=2
www.example.com/about?x=3
.....
www.example.com/about?x=1000000
This would result in the same page being cached 1 million times, likely filling up the APC memory limit and slowing the site down considerably.
Does anyone think this is a problem?
Comments
Comment #1
R.Muilwijk CreditAttribution: R.Muilwijk commentedThe APC Cache backend just saves by using the 'cid' is was called. If this needs to be fixed it should be fixed in drupal core.