httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Ames <ames.g...@gmail.com>
Subject Re: DoS with mod_deflate & range requests
Date Wed, 24 Aug 2011 19:10:45 GMT
On Wed, Aug 24, 2011 at 12:42 PM, Jim Jagielski <jim@jagunet.com> wrote:

>
> On Aug 24, 2011, at 12:22 PM, William A. Rowe Jr. wrote:
>
> >
> >  0-, 40-50 becomes 0-
>
> >  0-499, 400-599 becomes 0-599
>
> >  1000-1075, 200-250, 1051-1100 becomes 1000-1100, 200-250
>
> This goes against Roy's recommendation to 416 overlaps…  But
> I do see that an overlap is specifically noted in an example
>

yeah.  The very end of section 14.35.1 says an overlap is legal, so I'm
confused.


>
> Until we are *clear* on what we should be doing, spec-wise, I
> think it's unwise to make assumptions…
>

> From the above, I would be more comfortable with
>
>   0-, 40-50 ---> 0-
>   0-499, 400-599 ---> 0-599
>   1000-1075, 1025-1088, 200-250, 1051-1100 --> 1000-1088, 200-250,
> 1051-1100
>
> that it, merge as we can, but never resort...


how about:

1000-2000,100-200,3000-4000,200-300,1999-3001

?

If we don't return a 416 for that due to overlap, I think the merge should
be;

1000-4000,100-300

If we only merge adjacent ascending ranges, then it seems like an attacker
could just craft a header where the ranges jump around and dodge our fix.

The other small point I wanted to make is that both ends of a range could
overlap previously specified ranges.

Greg

Mime
View raw message