On Wed, Aug 24, 2011 at 3:19 PM, Jim Jagielski <j...@jagunet.com> wrote:
> > > > > If we only merge adjacent ascending ranges, then it seems like an > attacker could just craft a header where the ranges jump around and dodge > our fix. > > > > I think no matter what, we should still have some sort of > upper limit on the number of range-sets we accept… after all, > merge doesn't prevent jumping around ;) > > The problem I have with the upper limit on the number of range sets is the use case someone posted for JPEG2000 streaming. That has a lot of range sets but is completely legit. However, the ranges are in ascending order and don't overlap. Maybe we could count overlaps and/or non-ascending order ranges and fall back to 200 + the whole object if it exceeds a limit. Greg
