httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Bannister <is...@jellybaby.net>
Subject Re: DoS with mod_deflate & range requests
Date Wed, 24 Aug 2011 20:37:22 GMT
On 24 Aug 2011, at 20:13, Jim Jagielski wrote:

>> Another option is just to return 200. Servers MAY ignore the Range header. I prefer
this because existing clients already handle that case well, and there's no opportunity for
a client to exploit this (“malicious” clients that want the whole entity need only request
it).
>> 
>> Can anyone see why returning 200 for these complex requests (by ignoring Range /
If-Range) is a bad idea?
> 
> In what cases would we ignore it? Dependent only on >=X ranges?

I don't have any strong opinion about exactly when to ignore Range. From an HTTP client PoV
I wouldn't want to get 416 from requesting a satisfiable but complex range (maliciously or
otherwise).

Ignoring Range on (ranges >= X) is simple to implement and easy to document, so why not
do that?

-- 
Tim Bannister – isoma@jellybaby.net


Mime
View raw message