-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cache Key Validation #4637
Cache Key Validation #4637
Conversation
Thanks for the review @paulbalandan. I'd like your feedback on my responses before I implement any changes. |
@paulbalandan Go to my fork and select the |
/** | ||
* Maximum key length. | ||
*/ | ||
public const MAX_KEY_LENGTH = PHP_INT_MAX; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PHP_INT_MAX
is an excessively long amount. Can we have a reasonable number here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's basically meant to be "unlimited". I couldn't find limits for all the handlers, but P/Redis stores the keys as binary strings with a limit of 512 MB - huge, in other words: https://stackoverflow.com/questions/5606106/what-is-the-maximum-value-size-you-can-store-in-redis
I'm open to other suggestions, or varying the specific handlers more, but that's how I got there.
/** | ||
* Reserved characters that cannot be used in a key or tag. | ||
* | ||
* @see https://github.com/symfony/cache-contracts/blob/c0446463729b89dd4fa62e9aeecc80287323615d/ItemInterface.php#L43 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While I do not have a problem with proper code attribution, should this @see
be addressed to the PSR-6 document instead? This gives me a false impression that Symfony Cache is the authoritative source for the list of reserved cache characters whereas PSR-6 clearly gives this out.
Key - A string of at least one character that uniquely identifies a cached item. Implementing libraries MUST support keys consisting of the characters A-Z, a-z, 0-9, _, and . in any order in UTF-8 encoding and a length of up to 64 characters. Implementing libraries MAY support additional characters and encodings or longer lengths, but must support at least that minimum. Libraries are responsible for their own escaping of key strings as appropriate, but MUST be able to return the original unmodified key string. The following characters are reserved for future extensions and MUST NOT be supported by implementing libraries: {}()/@:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just read this line: but MUST be able to return the original unmodified key string.
Since MD5 hashing is a one-way process, then aren't we deviating again from PSR-6?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That link is because I copied this code from Symfony, more of an attribution than a reference. Maybe I should remove the @see
and just have the link?
BaseHandler::validateKey()
is not trying to be PSR-6 compliant - we'd have bigger issues to address if that were the case. The PSR-6 adapter will use this but handle its own keys and exceptions.
Test failures are unrelated:
Any more thoughts on this one? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm good with this, unless Lonnie has some more to add. 😁
Description
Cache keys are currently a free-for-all, though the specification is much tighter than that. Additionally, some handlers have limits on the length of key that can be used. So far the only one I know for sure is
FileHandler
, because using too long of a key fails to create the file since it is invalid in the filesystem.This PR adds cache key validation and hashing to address the above issues. Note that I am not a cache expert, so if someone with more knowledge or experience wants to chime in I would be grateful. For example, the restricted characters were based on PSR-6 but some handlers may actually allow broader key usage than that.
Checklist: