[PATCH] mod_socache_memcache: don't ignore expiry

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[PATCH] mod_socache_memcache: don't ignore expiry

Faidon Liambotis
The memcache socache backend currently completely ignores the expiry
value, presumably due to historical limitations of aprutil that don't
apply anymore.

The current behavior is to always send "0" as the expiry value, which in
the memcached protocol translates as "never". This could have security
repercussions when memcache is used as a backing store for
SSLSessionCache, especially since SSLSessionCacheTimeout is ignored
silently. The session keys would presumably be expired by memcached as
the cache gets full but due to the LRU nature of memcached, an attacker
could request it often and thus keeping it hot in the cache and never

Fixing this is trivial by just propagating the expiry time to memcached.
From my limited testing (intercepting memcached writes over the wire &
dumping memcached contents) the current time + SSLSessionCacheTimeout
seems to be correctly sent with this patch.

--- modules/cache/mod_socache_memcache.c (revision 1510425)
+++ modules/cache/mod_socache_memcache.c (working copy)
@@ -205,9 +205,10 @@
         return APR_EINVAL;
-    /* In APR-util - unclear what 'timeout' is, as it was not implemented */
-    rv = apr_memcache_set(ctx->mc, buf, (char*)ucaData, nData, 0, 0);
+    rv = apr_memcache_set(ctx->mc, buf, (char*)ucaData, nData,
+                          apr_time_sec(expiry), 0);
     if (rv != APR_SUCCESS) {
         ap_log_error(APLOG_MARK, APLOG_CRIT, rv, s, APLOGNO(00790)
                      "scache_mc: error setting key '%s' "