[master] a8cde64ad ban: Only accept exact variable name matches

[Dridi Boukelmoune]

commit a8cde64ad7f6914b46dde6d23a29a05cada3938b
Author: Walid Boudebouda <walid.boudebouda at gmail.com>
Date:   Wed Aug 2 10:54:12 2023 +0200

    ban: Only accept exact variable name matches
    
    Ban expression variables that partially match standard variable names
    (ex: req.urlXX) should not be accepted, except for variables that take
    an HTTP header name as a suffix.
    
    Fixes #3962

diff --git a/bin/varnishd/cache/cache_ban_build.c b/bin/varnishd/cache/cache_ban_build.c
index 28376f56c..e9a699674 100644
--- a/bin/varnishd/cache/cache_ban_build.c
+++ b/bin/varnishd/cache/cache_ban_build.c
@@ -245,9 +245,12 @@ BAN_AddTest(struct ban_proto *bp,
 	if (bp->err != NULL)
 		return (bp->err);
 
-	for (pv = pvars; pv->name != NULL; pv++)
-		if (!strncmp(a1, pv->name, strlen(pv->name)))
+	for (pv = pvars; pv->name != NULL; pv++) {
+		if (!(pv->flag & BANS_FLAG_HTTP) && !strcmp(a1, pv->name))
 			break;
+		if ((pv->flag & BANS_FLAG_HTTP) && !strncmp(a1, pv->name, strlen(pv->name)))
+			break;
+	}
 
 	if (pv->name == NULL)
 		return (ban_error(bp,
diff --git a/bin/varnishtest/tests/r03962.vtc b/bin/varnishtest/tests/r03962.vtc
new file mode 100644
index 000000000..2874353a4
--- /dev/null
+++ b/bin/varnishtest/tests/r03962.vtc
@@ -0,0 +1,13 @@
+varnishtest "ban expression object name prefixes"
+
+server s1 {} -start
+
+varnish v1 -vcl+backend {} -start
+
+
+varnish v1 -cliexpect {Unknown or unsupported field "req.urlXX"} "ban req.urlXX ~ foobarbazzz"
+varnish v1 -cliexpect {Unknown or unsupported field "obj.ageYY"} "ban obj.ageYY < 1d"
+varnish v1 -cliexpect {Unknown or unsupported field "req.ur"} "ban req.ur ~ foobarbazzz"
+varnish v1 -cliexpect {Unknown or unsupported field "req.htt"} "ban req.htt ~ foobarbazzz"
+varnish v1 -cliexpect {Unknown or unsupported field "req.htt.XXYY"} "ban req.htt.XXYY ~ foobarbazzz"
+varnish v1 -cliok "ban req.http.XXYY ~ foobarbazzz"