httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: DoS with mod_deflate & range requests
Date Wed, 24 Aug 2011 23:50:39 GMT
On 8/24/2011 6:43 PM, Roy T. Fielding wrote:
> On Aug 24, 2011, at 4:39 PM, William A. Rowe Jr. wrote:
> 
>> On 8/24/2011 4:54 PM, Roy T. Fielding wrote:
>>> On Aug 24, 2011, at 1:56 PM, Roy T. Fielding wrote:
>>>> To be clear, I am more than willing to rewrite the part on
>>>> Ranges such that the above is explicitly forbidden in HTTP.
>>>> I am not sure what the WG would agree to, but I am quite certain
>>>> that part of the reason we have an Apache server is to protect
>>>> the Internet from idiotic ideas like the above.
>>>
>>> http://trac.tools.ietf.org/wg/httpbis/trac/ticket/311
>>
>> Excellent, thanks.  Just curious, isn't this clarification outside of
>> the remit of 2616bis?
> 
> Security repairs are never out of scope.

Ack.

So, I suspect the best we can do today, 4 days later, is to implement Roy's
draft [link] as the POC/reference implementation and work with the rest of
the http server community to ensure it is the right solution.

I suggest we publish this as a patch, /not/ as a release, until we find just
a bit more buy-in from the other implementors.

Bill


Mime
View raw message