httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Ames <>
Subject Re: DoS with mod_deflate & range requests
Date Wed, 24 Aug 2011 20:39:55 GMT
On Wed, Aug 24, 2011 at 3:19 PM, Jim Jagielski <> wrote:

> >
> > If we only merge adjacent ascending ranges, then it seems like an
> attacker could just craft a header where the ranges jump around and dodge
> our fix.
> >
> I think no matter what, we should still have some sort of
> upper limit on the number of range-sets we accept… after all,
> merge doesn't prevent jumping around ;)
The problem I have with the upper limit on the number of range sets is the
use case someone posted for JPEG2000 streaming.  That has a lot of range
sets but is completely legit.  However, the ranges are in ascending order
and don't overlap.  Maybe we could count overlaps and/or non-ascending order
ranges and fall back to 200 + the whole object if it exceeds a limit.


View raw message