Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 648F98975 for ; Wed, 24 Aug 2011 16:48:23 +0000 (UTC) Received: (qmail 43905 invoked by uid 500); 24 Aug 2011 16:48:22 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 43718 invoked by uid 500); 24 Aug 2011 16:48:21 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 43710 invoked by uid 99); 24 Aug 2011 16:48:21 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 24 Aug 2011 16:48:21 +0000 X-ASF-Spam-Status: No, hits=-2.3 required=5.0 tests=RCVD_IN_DNSWL_MED,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [188.40.99.202] (HELO eru.sfritsch.de) (188.40.99.202) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 24 Aug 2011 16:48:15 +0000 Received: from [10.1.1.6] (helo=k.localnet) by eru.sfritsch.de with esmtp (Exim 4.72) (envelope-from ) id 1QwGcL-0003Vf-Ln for dev@httpd.apache.org; Wed, 24 Aug 2011 18:47:53 +0200 From: Stefan Fritsch To: dev@httpd.apache.org Subject: Re: DoS with mod_deflate & range requests Date: Wed, 24 Aug 2011 18:47:52 +0200 User-Agent: KMail/1.13.7 (Linux/3.0.0-1-amd64; KDE/4.6.5; x86_64; ; ) References: In-Reply-To: MIME-Version: 1.0 Content-Type: Text/Plain; charset="windows-1252" Content-Transfer-Encoding: quoted-printable Message-Id: <201108241847.52860.sf@sfritsch.de> On Wednesday 24 August 2011, Jim Jagielski wrote: > On Aug 24, 2011, at 12:05 PM, Pl=FCm, R=FCdiger, VF-Group wrote: > >> -----Original Message----- > >> From: Jim Jagielski [mailto:jim@jaguNET.com] > >> Sent: Mittwoch, 24. August 2011 18:02 > >> To: dev@httpd.apache.org > >> Subject: Re: DoS with mod_deflate & range requests > >>=20 > >> Sorting isn't allowed but I get the impression that merging is > >> OK... Roy can confirm... > >=20 > > But merging might require sorting... >=20 > then we don't do that merge, imo=85 In other words, we > progress thru the set of ranges and once a range > is merged as far as it can be (due to the next range > not being merge-able with the previous one), we let > it go... We could also use a two stage approach: Up to some limit (e.g. 50)=20 ranges, we return them as the client requested them. Over that limit,=20 we violate the RFC-SHOULD and sort and merge them.