Re: #311: Denial of Service and Ranges from Yves Lafon on 2011N1208ú (ietf-http-wg@w3.org from October to December 2011)

From: Yves Lafon <ylafon@w3.org>
Date: Thu, 8 Dec 2011 09:48:55 -0500 (EST)
To: Mark Nottingham <mnot@mnot.net>
cc: "William A. Rowe Jr." <wrowe@rowe-clan.net>, ietf-http-wg@w3.org
Message-ID: <alpine.DEB.1.10.1112080942120.26187@wnl.j3.bet>

On Wed, 7 Dec 2011, Mark Nottingham wrote:
>
> On 24/11/2011, at 3:52 PM, William A. Rowe Jr. wrote:
>
>> It's easier to say servers are always permitted to coalesce responses in a
>> manner that makes delivery more efficient. I believe this needs to include
>> sequencing them in serial order as mentioned in...
>
> Reading this thread, I'm inclined to agree; rather than being too 
> specific, we could note the security issues, as well as the potential 
> impact on clients.
>
> How about adding a paragraph to p5 5.4.2:
>
> """ Servers are not required to return the exact range requested in a 
> partial response, and MAY coalesce several ranges into a single 
> response, to make delivery more efficient. Clients SHOULD NOT depend 
> upon the requested ranges being returned as specified in a partial 
> response. This includes the size of the ranges, their offsets, and their 
> ordering in the response.
> """
There is already a paragraph about that issue in the security section, but 
yes, something needs to be added to explicitely allow servers to coalesce 
overlapping ranges.
Also note that in 5.2:
<<
 When an HTTP message includes the content of multiple ranges (for
 example, a response to a request for multiple non-overlapping
 ranges), these are transmitted as a multipart message. The multipart
 media type used for this purpose is "multipart/byteranges" as defined
 in Appendix A.
 A response to a request for a single range MUST NOT be sent using the
 multipart/byteranges media type. A response to a request for
 multiple ranges, whose result is a single range, MAY be sent as a
 multipart/byteranges media type with one part. A client that cannot
 decode a multipart/byteranges message MUST NOT ask for multiple
 ranges in a single request.
>>
Which is implicitely authorizing coalescing ranges and hinting that 
overlapping ranges in multipart/byteranges should not be overlapping.
But it's better to explicitely say it.
(There are also some examples missing)
I'll send a diff proposal soon.
-- 
Baroula que barouleras, au tiéu toujou t'entourneras.
 ~~Yves

Received on Thursday, 8 December 2011 14:48:58 UTC