httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Plüm, Rüdiger, VF-Group" <ruediger.pl...@vodafone.com>
Subject RE: mod_deflate DoS using HEAD
Date Tue, 22 Jun 2010 13:55:03 GMT
 

> -----Original Message-----
> From: Eric Covener 
> Sent: Dienstag, 22. Juni 2010 15:33
> To: dev@httpd.apache.org
> Subject: Re: mod_deflate DoS using HEAD
> 
> On Tue, Jun 22, 2010 at 2:37 AM, Ruediger Pluem 
> <rpluem@apache.org> wrote:
> > Does someone still have Eric's patch? Seems that I can't 
> find it right now.
> 
> This is what I have, but I never got off the fence back then 
> much less now:
> 
> Index: modules/filters/mod_deflate.c
> ===================================================================
> --- modules/filters/mod_deflate.c       (revision 793619)
> +++ modules/filters/mod_deflate.c       (working copy)
> @@ -578,7 +578,7 @@
>         deflate_check_etag(r, "gzip");
> 
>         /* For a 304 response, only change the headers */
> -        if (r->status == HTTP_NOT_MODIFIED) {
> +        if (r->status == HTTP_NOT_MODIFIED || r->header_only) {
>             ap_remove_output_filter(f);
>             return ap_pass_brigade(f->next, bb);
>         }
> 
> 

Thanks for that. I guess the patch is not complete for current trunk.
IMHO it should look like:

Index: modules/filters/mod_deflate.c
===================================================================
--- modules/filters/mod_deflate.c       (revision 955960)
+++ modules/filters/mod_deflate.c       (working copy)
@@ -562,7 +562,7 @@
          * send out the headers).
          */

-        if (r->status != HTTP_NOT_MODIFIED) {
+        if ((r->status != HTTP_NOT_MODIFIED) && !r->header_only) {
             ctx = f->ctx = apr_pcalloc(r->pool, sizeof(*ctx));
             ctx->bb = apr_brigade_create(r->pool, f->c->bucket_alloc);
             ctx->buffer = apr_palloc(r->pool, c->bufferSize);
@@ -616,7 +616,7 @@
         deflate_check_etag(r, "gzip");

         /* For a 304 response, only change the headers */
-        if (r->status == HTTP_NOT_MODIFIED) {
+        if ((r->status == HTTP_NOT_MODIFIED) || r->header_only) {
             ap_remove_output_filter(f);
             return ap_pass_brigade(f->next, bb);
         }

I am currently +0 on wether to use the patch above or my original
proposal. Both have its pros and cons (Saving more CPU vs. be more
picky about caching and implement an RFC SHOULD).

Regards

Rüdiger



Mime
View raw message