httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Bannister <>
Subject Re: DoS with mod_deflate & range requests
Date Wed, 24 Aug 2011 18:43:31 GMT
On 24 Aug 2011, at 17:47, Stefan Fritsch wrote:
On Wednesday 24 August 2011, Jim Jagielski wrote:
>> On Aug 24, 2011, at 12:05 PM, Plüm, Rüdiger, VF-Group wrote:
>>> But merging might require sorting...
>> then we don't do that merge, imo… In other words, we progress thru the set of ranges
and once a range is merged as far as it can be (due to the next range not being merge-able
with the previous one), we let it go...
> We could also use a two stage approach: Up to some limit (e.g. 50) ranges, we return
them as the client requested them. Over that limit, we violate the RFC-SHOULD and sort and
merge them.

Another option is just to return 200. Servers MAY ignore the Range header. I prefer this because
existing clients already handle that case well, and there's no opportunity for a client to
exploit this (“malicious” clients that want the whole entity need only request it).

Can anyone see why returning 200 for these complex requests (by ignoring Range / If-Range)
is a bad idea?

Tim Bannister –

View raw message