- 注册时间
- 2025-11-27
- 最后登录
- 2025-12-27
- 阅读权限
- 20
- 积分
- 193
- 精华
- 0
- 帖子
- 51
|
|
Final Friday, Tavis Ormandy from Google_s Venture Zero contacted Cloudflare to report a safety downside with our edge servers. He was seeing corrupted internet pages being returned by some HTTP requests run through Cloudflare. It turned out that in some unusual circumstances, which I_ll detail below, our edge servers have been operating past the top of a buffer and returning Memory Wave that contained non-public info corresponding to HTTP cookies, authentication tokens, HTTP Publish bodies, and other delicate information. And a few of that data had been cached by search engines like google. For the avoidance of doubt, Cloudflare customer SSL private keys were not leaked. Cloudflare has all the time terminated SSL connections by means of an isolated occasion of NGINX that was not affected by this bug. We rapidly recognized the issue and turned off three minor Cloudflare features (email obfuscation, Server-side Excludes and Automatic HTTPS Rewrites) that were all using the same HTML parser chain that was causing the leakage. At that point it was no longer potential for memory to be returned in an HTTP response. |
|
发表于 
收藏