Nick Kew wrote:
> Eric Covener wrote:
>
>> /* For a 304 response, only change the headers */
>> - if (r->status == HTTP_NOT_MODIFIED) {
>> + if (r->status == HTTP_NOT_MODIFIED || r->header_only) {
>
> Technically speaking, screws up the protocol.
>
> IMHO it would be acceptable provided:
> (a) it's an option for the admin, rather than enforced
> (b) it's documented
> (c) the headers are correct: either Content-Encoding is
> unset (uncompressed response) or Content-Length is
> unset. Probably the former.
Agreed. It's not a DoS. If the admin wants to conserve CPU
resources, they must either;
* cache the deflated pages (avoid user-agent header if there
are multiples, which reminds me we need a module to unset the
accept deflate trigger on non-compliant browsers running
very-first in the quick_handler.)
* create gzip'ed content, navigate the choice of content through
multiviews.
* do not do server-side deflation (it is expensive).
These two flaw reports are truly no more DoS than most CGI pages.
