The matching regular expression did not align with the substitution
regular expression.

Refs d2e526ce

Avoid marking an object as an IMS candidate when a weak Last-Modified
header is the only validator. In the case where there is an ETag AND a
weak Last-Modified header, add a If-None-Match header, but do not add
an If-Modified-Since header.

Per RFC9110, the Last-Modified header is not a strong validator unless
it is at least one second older than the Date header. This is to prevent
revalidating content that has been changed within a second of the last
response. In the case of an intermediate cache like Varnish, a weak
Last-Modified validator is "weaker" than a weak ETag, and should not be
used for revalidating content.

This commit prepares varnishtest for a change to Varnish revalidations,
where the Last-Modified header must be at least one second older than
the Date header for Varnish to send an If-Modified-Since header.

Any explicitly defined Date header will override the default, and
the Date header can be omitted with -nodate.

Motivated by #3868

Spotted by GCC's fortification level 3.

As a convenience, the error message includes the actual total length
of data being g[un]zipped, in addition to the total_in amount of data
processed so far.

To be consistent with how the file cursor behaves, the close_fd field is
duplicated in the mmap cursor. If a VUT replaces stdin's file descriptor
with a regular file's fd using dup2(2), we don't want to close it just
because we managed to mmap(2) it.

For some reason we don't use the closefd() macro in the VSL cursor code,
potentially to avoid its underlying assertion in libvarnishapi.

On the other hand we do use it in other places:

    $ git grep -l closefd -- lib/libvarnishapi/
    lib/libvarnishapi/daemon.c
    lib/libvarnishapi/vsm.c

So maybe in a subsequent change `(void)close(fd)` statements could turn
into `closefd(&fd)` in vsl_cursor.c to harden those code paths as well.

As pointed out by Dridi, we should rather not make an attempt to
support un-printable socket names, of which the empty name is
the most prominent case.

For all other non-printable cases (e.g. d\0r\0i\0d\0i), we have
no support to pass them in the first place, because we treat
uds paths as NUL-terminated strings.

We use the commonplace @<name> syntax to specify abstract socket names.

Implements #3863

Motivated by #3864

This commit was guided by the cocci patch below, but lines to change
were manually selected.

Motivated by #3864

	--- 8< ---

@@
expression path;
@@

- *path == '/'
+ VUS_is(path)

@@
expression path;
@@

- *path != '/'
+ ! VUS_is(path)

we only forwarded the result from a single read(), which might have
missed information on the actual error.

space for larger XIDs.  Add a version field.

We had three call sites, one with and two without size checking.

Other improvements:

- zero (struct sockaddr_un).sun_path
- set errno if the path argument does not fit

Motivated by: #3863

to anchor patches

As far as I can see, this is only used in the vim->n_ stats, which are,
apparently, not used anywhere.

Check for correct handling of missing pseudo-headers, and invalid
characters.
Signed-off-by: Asad Sajjad Ahmed <asadsa@varnish-software.com>

We should apply the same restrictions on the list of allowed characters inside
H/2 pseudo-headers as we do for H/1. This error is translated into the
headers we send to a backend over H/1.

Failure to do so could permit various exploits against a backend not handling
malformed H/1 requests.
Signed-off-by: Asad Sajjad Ahmed <asadsa@varnish-software.com>

This expands the perfect hash lookup table to be able to match any entry
in the list of well-known headers from tbl/http_headers.h.

Previously only the headers that had a non-zero filter flag section was
kept in the fast match table.

Fixes: VSV00010