httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Bannister <is...@jellybaby.net>
Subject Re: DoS with mod_deflate & range requests
Date Tue, 23 Aug 2011 14:00:42 GMT
On Tue, Aug 23, 2011 at 02:15:16PM +0200, Lazy wrote:
> 2011/8/23 Stefan Fritsch <sf@sfritsch.de>:
> > http://seclists.org/fulldisclosure/2011/Aug/175
> >
> > I haven't looked into it so far. And I am not sure I will have time today.
> >
> 
> it is sending HEAD requests with lots of  ranges
> HEAD / HTTP/1.1
> Host: xxxx
> Range:bytes=0-,5-1,5-2,5-3,.....
…
> doeas Range in HEAD request have any sense at all ?

One /possible/ use is as an equivalent for a conditional GET, ie
GET / HTTP/1.1
Host: xxx
Range: bytes=1024-
If-Range: "foo"

…to which the correct response should I think be either 200 or 206 depending 
on whether the document is modified.

But it's a pretty odd case. I can't imagine any published client or proxy 
that would make such a request. It would in any case be acceptable to 
return a 200 response instead; RFC 2616 states that "A server MAY ignore 
the Range header"

Tim Bannister

Mime
View raw message