httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Plüm, Rüdiger, VF-Group" <ruediger.pl...@vodafone.com>
Subject RE: DoS with mod_deflate & range requests
Date Wed, 24 Aug 2011 15:55:12 GMT
 

> -----Original Message-----
> From: Dirk-Willem van Gulik [mailto:Dirk-Willem.van.Gulik@bbc.co.uk] 
> Sent: Mittwoch, 24. August 2011 17:46
> To: dev@httpd.apache.org
> Subject: Re: DoS with mod_deflate & range requests
> 
> 
> On 24 Aug 2011, at 16:35, Tim Bannister wrote:
> 
> > On Tue, Aug 23, 2011, Roy T. Fielding wrote:
> >> And the spec says ...
> >> 
> >>   When a client requests multiple ranges in one request, the
> >>   server SHOULD return them in the order that they appeared in the
> >>   request.
> >> 
> >> My suggestion is to reject any request with overlapping 
> ranges or more
> >> than five ranges with a 416, and to send 200 for any 
> request with 4-5
> >> ranges.  There is simply no need to support random access in HTTP.
> > 
> > Deshpande & Zeng in http://dx.doi.org/10.1145/500141.500197 
> describe a
> > method for "streaming" JPEG 2000 documents over HTTP, using 
> many more than
> > 5 ranges in a single request.
> > A client that knows about any server-side limit could make multiple
> > requests each with a small number of ranges, but 
> discovering that limit
> > will add latency and take more code.
> 
> Agreed - I've seen many 10's of ranges in a single request 
> for things like clever PDF pagination (or tiny TIFF 
> quicklooks for the pages), clever http fake streaming and 
> clever use of jumping to i-Frames.
> 
> I think we just need to sit this out - and accept up to 
> RequestFieldSize limit bytes on that line - and then do a 
> sort & merge overlaps as needed. 

Hm. If I got it right what Roy says above about the spec sorting and merging is
not an option as we need to stick to the order and number of ranges the client
requested. But we can deny overlapping with a 416.
Or we do a 416 as well if merging would change something.

Regards

Rüdiger

Mime
View raw message