httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <>
Subject Re: DoS with mod_deflate & range requests
Date Wed, 24 Aug 2011 23:50:39 GMT
On 8/24/2011 6:43 PM, Roy T. Fielding wrote:
> On Aug 24, 2011, at 4:39 PM, William A. Rowe Jr. wrote:
>> On 8/24/2011 4:54 PM, Roy T. Fielding wrote:
>>> On Aug 24, 2011, at 1:56 PM, Roy T. Fielding wrote:
>>>> To be clear, I am more than willing to rewrite the part on
>>>> Ranges such that the above is explicitly forbidden in HTTP.
>>>> I am not sure what the WG would agree to, but I am quite certain
>>>> that part of the reason we have an Apache server is to protect
>>>> the Internet from idiotic ideas like the above.
>> Excellent, thanks.  Just curious, isn't this clarification outside of
>> the remit of 2616bis?
> Security repairs are never out of scope.


So, I suspect the best we can do today, 4 days later, is to implement Roy's
draft [link] as the POC/reference implementation and work with the rest of
the http server community to ensure it is the right solution.

I suggest we publish this as a patch, /not/ as a release, until we find just
a bit more buy-in from the other implementors.


View raw message