httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <...@jaguNET.com>
Subject Re: DoS with mod_deflate & range requests
Date Wed, 24 Aug 2011 15:41:03 GMT

On Aug 23, 2011, at 9:34 PM, Roy T. Fielding wrote:

> On Aug 23, 2011, at 2:34 PM, William A. Rowe Jr. wrote:
> 
>> On 8/23/2011 4:00 PM, Greg Ames wrote:
>>> 
>>> On Tue, Aug 23, 2011 at 3:32 PM, William A. Rowe Jr. wrote:
>>> 
>>>   I suggest we should be parsing and reassembling the list before we
>>>   start the bucket logic. 
>>> 
>>>   I propose we satisfy range requests in the only sensible manner, returning
>>>   the ranges in sequence,
>>> 
>>> yeah, overlapping ranges should be merged up front. That ought to completely
fix the issue.
>> 
>> So the only remaining question; are we free to reorder them into sequence?
> 
> And the spec says ...
> 
>   When a client requests multiple ranges in one request, the
>   server SHOULD return them in the order that they appeared in the
>   request.
> 
> My suggestion is to reject any request with overlapping ranges

+1

> or more
> than five ranges with a 416, and to send 200 for any request with 4-5
> ranges.  There is simply no need to support random access in HTTP.

-0
Mime
View raw message