Re: #311: Denial of Service and Ranges

On Wed, 7 Dec 2011, Mark Nottingham wrote:

> On 24/11/2011, at 3:52 PM, William A. Rowe Jr. wrote:
>> It's easier to say servers are always permitted to coalesce responses in a
>> manner that makes delivery more efficient.  I believe this needs to include
>> sequencing them in serial order as mentioned in...
> Reading this thread, I'm inclined to agree; rather than being too 
> specific, we could note the security issues, as well as the potential 
> impact on clients.
> How about adding a paragraph to p5 5.4.2:
> """ Servers are not required to return the exact range requested in a 
> partial response, and MAY coalesce several ranges into a single 
> response, to make delivery more efficient. Clients SHOULD NOT depend 
> upon the requested ranges being returned as specified in a partial 
> response. This includes the size of the ranges, their offsets, and their 
> ordering in the response.
> """

There is already a paragraph about that issue in the security section, but 
yes, something needs to be added to explicitely allow servers to coalesce 
overlapping ranges.

Also note that in 5.2:
    When an HTTP message includes the content of multiple ranges (for
    example, a response to a request for multiple non-overlapping
    ranges), these are transmitted as a multipart message.  The multipart
    media type used for this purpose is "multipart/byteranges" as defined
    in Appendix A.

    A response to a request for a single range MUST NOT be sent using the
    multipart/byteranges media type.  A response to a request for
    multiple ranges, whose result is a single range, MAY be sent as a
    multipart/byteranges media type with one part.  A client that cannot
    decode a multipart/byteranges message MUST NOT ask for multiple
    ranges in a single request.

Which is implicitely authorizing coalescing ranges and hinting that 
overlapping ranges in multipart/byteranges should not be overlapping.
But it's better to explicitely say it.
(There are also some examples missing)
I'll send a diff proposal soon.

Baroula que barouleras, au tiéu toujou t'entourneras.


Received on Thursday, 8 December 2011 14:48:58 UTC