httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Plüm, Rüdiger, VF-Group" <ruediger.pl...@vodafone.com>
Subject RE: DoS with mod_deflate & range requests
Date Wed, 24 Aug 2011 16:02:29 GMT
 

> -----Original Message-----
> From: Jim Jagielski [mailto:jim@jaguNET.com] 
> Sent: Mittwoch, 24. August 2011 17:48
> To: dev@httpd.apache.org
> Subject: Re: DoS with mod_deflate & range requests
> 
> 
> On Aug 24, 2011, at 4:05 AM, Plüm, Rüdiger, VF-Group wrote:
> 
> > 
> > Patch looks good, but some comments:
> > 
> > As far as I can see the following range request would not 
> get merged:
> > 
> > Range: bytes=0-0,1-1,2-2
> > 
> > into a 0-2 range as need_sort would remain 0. OTOH
> > 
> > Range: bytes=0-0,0-1,1-2
> > 
> > would get get merged into a 0-2 range.
> > 
> > Using boundary and !boundary in the later if statements to 
> decide whether a request
> > is multi range or single range is IMHO bad as boundary is 
> set based on the old number
> > ranges and not based on the number of merged ranges. So 
> multiple ranges in the beginning
> > might get merged to a single range in the end.
> 
> +1...
> 
> Suggestion: Let's fold the patch, as-is, into trunk, tune it there
> and then backport to 2.x...
> 

Based on Roy's comment about the spec I think we cannot optimize this way.
I think we can only detect if something weird goes on (overlapping, merging
would result in smaller number of ranges, excessive number of ranges, whereas
"excessive" needs to be configurable with a sane default) and reply with a 416 then.

Regards

Rüdiger

Mime
View raw message