httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject Re: mod_deflate DoS using HEAD
Date Mon, 13 Jul 2009 21:57:43 GMT
Nick Kew wrote:
> Eric Covener wrote:
>>          /* For a 304 response, only change the headers */
>> -        if (r->status == HTTP_NOT_MODIFIED) {
>> +        if (r->status == HTTP_NOT_MODIFIED || r->header_only) {
> Technically speaking, screws up the protocol.
> IMHO it would be acceptable provided:
>   (a) it's an option for the admin, rather than enforced
>   (b) it's documented
>   (c) the headers are correct: either Content-Encoding is
>       unset (uncompressed response) or Content-Length is
>       unset.  Probably the former.

Agreed.  It's not a DoS.  If the admin wants to conserve CPU
resources, they must either;

 * cache the deflated pages (avoid user-agent header if there
   are multiples, which reminds me we need a module to unset the
   accept deflate trigger on non-compliant browsers running
   very-first in the quick_handler.)

 * create gzip'ed content, navigate the choice of content through

 * do not do server-side deflation (it is expensive).

These two flaw reports are truly no more DoS than most CGI pages.

View raw message