Re: #311: Denial of Service and Ranges from Yves Lafon on 2011-12-08 (ietf-http-wg@w3.org from October to December 2011)

From: Yves Lafon <ylafon@w3.org>
Date: Thu, 8 Dec 2011 09:48:55 -0500 (EST)
To: Mark Nottingham <mnot@mnot.net>
cc: "William A. Rowe Jr." <wrowe@rowe-clan.net>, ietf-http-wg@w3.org
Message-ID: <alpine.DEB.1.10.1112080942120.26187@wnl.j3.bet>

On Wed, 7 Dec 2011, Mark Nottingham wrote:

>
> On 24/11/2011, at 3:52 PM, William A. Rowe Jr. wrote:
>
>> It's easier to say servers are always permitted to coalesce responses in a
>> manner that makes delivery more efficient.  I believe this needs to include
>> sequencing them in serial order as mentioned in...
>
> Reading this thread, I'm inclined to agree; rather than being too 
> specific, we could note the security issues, as well as the potential 
> impact on clients.
>
> How about adding a paragraph to p5 5.4.2:
>
> """ Servers are not required to return the exact range requested in a 
> partial response, and MAY coalesce several ranges into a single 
> response, to make delivery more efficient. Clients SHOULD NOT depend 
> upon the requested ranges being returned as specified in a partial 
> response. This includes the size of the ranges, their offsets, and their 
> ordering in the response.
> """

There is already a paragraph about that issue in the security section, but 
yes, something needs to be added to explicitely allow servers to coalesce 
overlapping ranges.

Also note that in 5.2:
<<
    When an HTTP message includes the content of multiple ranges (for
    example, a response to a request for multiple non-overlapping
    ranges), these are transmitted as a multipart message.  The multipart
    media type used for this purpose is "multipart/byteranges" as defined
    in Appendix A.

    A response to a request for a single range MUST NOT be sent using the
    multipart/byteranges media type.  A response to a request for
    multiple ranges, whose result is a single range, MAY be sent as a
    multipart/byteranges media type with one part.  A client that cannot
    decode a multipart/byteranges message MUST NOT ask for multiple
    ranges in a single request.
>>

Which is implicitely authorizing coalescing ranges and hinting that 
overlapping ranges in multipart/byteranges should not be overlapping.
But it's better to explicitely say it.
(There are also some examples missing)
I'll send a diff proposal soon.

-- 
Baroula que barouleras, au tiéu toujou t'entourneras.

         ~~Yves

Received on Thursday, 8 December 2011 14:48:58 UTC