On 8/24/2011 4:06 PM, Nick Kew wrote: > AFAICS[1], we've discussed an advisory and some protections > users can deploy. For the future we should be looking at > a robust solution that prevents Range requests only when > they're likely to present a problem. > > Most obviously, we should be able to serve arbitrary ranges > from any static or cached file without sweat to support > apps such as JPEG2000 or PDF streaming. That can be done > much more efficiently at source than in a ranges filter. > > Does this look like a plan? > > 1. Add Ranges capability into the default handler and mod_cache. > They could then set a "ranges-handled" flag in r->notes.
Fails if the default handler has been filtered into a differently sized document, e.g. code page conversion. > 2. Insert the Ranges filter according to the logic that's > been discussed here today. > 3. The Ranges filter then checks ranges-handled, and removes > itself if set, to avoid returning recursive ranges. You are now requiring all filters which change the document's geometry to not only discard C-L, but also reset ranges-handled. Not a reasonable path forward for 2.[02].x.
