SECURITY: Ensure user-agent-based responses are cached separately (stable) (#16476)

lib/middleware/anonymous_cache.rb

@@ -12,6 +12,7 @@ module Middleware
       @@cache_key_segments ||= {
         m: 'key_is_mobile?',
         c: 'key_is_crawler?',
+        o: 'key_is_old_browser?',
         b: 'key_has_brotli?',
         t: 'key_cache_theme_ids',
         ca: 'key_compress_anon',
@@ -114,6 +115,10 @@ module Middleware
       end
       alias_method :key_is_crawler?, :is_crawler?
 
+      def key_is_old_browser?
+        CrawlerDetection.show_browser_update?(@env[USER_AGENT]) if @env[USER_AGENT]
+      end
+
       def cache_key
         return @cache_key if defined?(@cache_key)
 

spec/components/middleware/anonymous_cache_spec.rb

@@ -80,6 +80,14 @@ describe Middleware::AnonymousCache do
       end
     end
 
+    it "handles old browsers" do
+      SiteSetting.browser_update_user_agents = "my_old_browser"
+
+      key1 = new_helper("HTTP_USER_AGENT" => "my_old_browser").cache_key
+      key2 = new_helper("HTTP_USER_AGENT" => "my_new_browser").cache_key
+      expect(key1).not_to eq(key2)
+    end
+
     context "cached" do
       let!(:helper) do
         new_helper("ANON_CACHE_DURATION" => 10)