AFAICS[1], we've discussed an advisory and some protections users can deploy. For the future we should be looking at a robust solution that prevents Range requests only when they're likely to present a problem.
Most obviously, we should be able to serve arbitrary ranges from any static or cached file without sweat to support apps such as JPEG2000 or PDF streaming. That can be done much more efficiently at source than in a ranges filter. Does this look like a plan? 1. Add Ranges capability into the default handler and mod_cache. They could then set a "ranges-handled" flag in r->notes. 2. Insert the Ranges filter according to the logic that's been discussed here today. 3. The Ranges filter then checks ranges-handled, and removes itself if set, to avoid returning recursive ranges. I guess implementing that would imply factoring out the multipart encoding stuff from the range filter into an API. [1] that is, returning to an overflowing mailbox after a tiring day in offline chores, so I could easily have missed something! -- Nick Kew
