httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Bannister <is...@jellybaby.net>
Subject Re: DoS with mod_deflate & range requests
Date Wed, 24 Aug 2011 15:35:59 GMT
On Tue, Aug 23, 2011, Roy T. Fielding wrote:
> And the spec says ...
> 
>    When a client requests multiple ranges in one request, the
>    server SHOULD return them in the order that they appeared in the
>    request.
> 
> My suggestion is to reject any request with overlapping ranges or more 
> than five ranges with a 416, and to send 200 for any request with 4-5 
> ranges.  There is simply no need to support random access in HTTP.

Deshpande & Zeng in http://dx.doi.org/10.1145/500141.500197 describe a 
method for "streaming" JPEG 2000 documents over HTTP, using many more than 
5 ranges in a single request.
A client that knows about any server-side limit could make multiple 
requests each with a small number of ranges, but discovering that limit 
will add latency and take more code.

Tim Bannister

Mime
View raw message