security.vcl icon indicating copy to clipboard operation
security.vcl copied to clipboard
verified publisher icon comotion

php.vcl breaks timthumb.php

Open missilefish opened this issue 12 years ago • 2 comments

Hi All,

This is my first and seemingly only issue I have with this terrific Varnish addition you all have developed. I'd like to find a way to include some kind of exclusion for what timthumb.php would need to run, it is very common with Wordpress themes. My only solution today (terrible with regex) is to comment out that one section below in the php.vcl security module.

http://EXAMPLEDOMAIN.COM/wp-content/themes/MISCTHEME/scripts/timthumb.php?src=http://EXAMPLEDOMAIN.COM/wp-content/uploads/2010/08/filename.png&w=60&h=60&zc=1&q=100

Any suggestions on crafting something awesome to handle this circumstance? Or a variable to set maybe that would allow certain external sources to be named/blessed, like an ACL?

From php.vcl (lines 133-140):

Generic check for remote code inclusion from external sites

    if (req.url ~ "=?(https?|ftps?|php)://") {
           set req.http.X-SEC-RuleName = "Remote site in URL parameter";
           set req.http.X-SEC-RuleId   = "100";
           set req.http.X-SEC-RuleInfo = "Generic check for remote code inclusion from external sites";
           call sec_php_sev1;
    }

missilefish avatar Jul 29 '13 20:07 missilefish

any solution so far to fix this problem? I have the same problem...

sz00gun avatar Mar 23 '15 21:03 sz00gun

You could make that if (req.url ~ "=?(https?|ftps?|php)://" && ! req.url ~ "timthumb.php") {

jhmartin avatar Mar 24 '15 01:03 jhmartin