httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: Fixing Ranges
Date Thu, 25 Aug 2011 17:45:27 GMT
On 8/25/2011 11:24 AM, Jim Jagielski wrote:
> I'm playing around w/ ap_set_byterange() for the merging and
> detection part, but that should not hold up release with the
> optimized codeā€¦
> 
> I can do a 2.2.10 release with the byte range stuff once we
> agree on the back port and confirm it fixes the problem...

I guess I'm a bit confused... so the net brigade/range patch should
be something reasonable anybody can apply to 2.0 / 2.2.  Let's get
that net patch published as a fresh advisory by the end of the day?

There doesn't seem to be a really good reason to release half of
the solution, if many of us agree that 'something more' should be
done, but it will take not only our consensus, but the http-wg group
server authors to find consensus on how servers will react to extra
quirky range requests starting at least in August '11.

I'd rather see 2.2.10 implement that entire solution, even if this
takes us a week.  Allowing 1-100,900-999,1-100,900-999 remains a
DoS, even if this is a trivial one, because the resources returned
exceed the reasonable resources required in bandwidth, cpu, even if
we never wasted memory.

Mime
View raw message