On Aug 25, 2011, at 1:45 PM, William A. Rowe Jr. wrote: > On 8/25/2011 11:24 AM, Jim Jagielski wrote: >> I'm playing around w/ ap_set_byterange() for the merging and >> detection part, but that should not hold up release with the >> optimized code… >> >> I can do a 2.2.10 release with the byte range stuff once we >> agree on the back port and confirm it fixes the problem... > > I guess I'm a bit confused... so the net brigade/range patch should > be something reasonable anybody can apply to 2.0 / 2.2. Let's get > that net patch published as a fresh advisory by the end of the day? > > There doesn't seem to be a really good reason to release half of > the solution, if many of us agree that 'something more' should be > done, but it will take not only our consensus, but the http-wg group > server authors to find consensus on how servers will react to extra > quirky range requests starting at least in August '11. > > I'd rather see 2.2.10 implement that entire solution, even if this > takes us a week. Allowing 1-100,900-999,1-100,900-999 remains a > DoS, even if this is a trivial one, because the resources returned > exceed the reasonable resources required in bandwidth, cpu, even if > we never wasted memory. >
Right now, all adjacent overlaps are merged, and it is trivial to add counting the number of merges done (will add soonish) as well as the number of "direction changes" (100-200,20-30 for eg)… We can then place limits on them, expose/log them, etc...
