httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <field...@gbiv.com>
Subject Re: DoS with mod_deflate & range requests
Date Wed, 24 Aug 2011 01:34:39 GMT
On Aug 23, 2011, at 2:34 PM, William A. Rowe Jr. wrote:

> On 8/23/2011 4:00 PM, Greg Ames wrote:
>> 
>> On Tue, Aug 23, 2011 at 3:32 PM, William A. Rowe Jr. wrote:
>> 
>>    I suggest we should be parsing and reassembling the list before we
>>    start the bucket logic. 
>> 
>>    I propose we satisfy range requests in the only sensible manner, returning
>>    the ranges in sequence,
>> 
>> yeah, overlapping ranges should be merged up front. That ought to completely fix
the issue.
> 
> So the only remaining question; are we free to reorder them into sequence?

And the spec says ...

   When a client requests multiple ranges in one request, the
   server SHOULD return them in the order that they appeared in the
   request.

My suggestion is to reject any request with overlapping ranges or more
than five ranges with a 416, and to send 200 for any request with 4-5
ranges.  There is simply no need to support random access in HTTP.

....Roy


Mime
View raw message