Changeset 1355 for draft-ietf-httpbis

Timestamp:

Jul 26, 2011, 8:53:04 AM (9 years ago)

Author:

ylafon@…

Message:

Added security consideration on range flooding (See #175)

Location:

draft-ietf-httpbis/latest

Files:

• p5-range.html (modified) (9 diffs)
• p5-range.xml (modified) (2 diffs)

draft-ietf-httpbis/latest/p5-range.html

@@ -359 +359 @@
   } 
   @bottom-center {
-       content: "Expires January 26, 2012"; 
+       content: "Expires January 27, 2012"; 
   } 
   @bottom-right {
@@ -406 +406 @@
       <meta name="dct.creator" content="Reschke, J. F.">
       <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p5-range-latest">
-      <meta name="dct.issued" scheme="ISO8601" content="2011-07-25">
+      <meta name="dct.issued" scheme="ISO8601" content="2011-07-26">
       <meta name="dct.replaces" content="urn:ietf:rfc:2616">
       <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypermedia information systems. HTTP has been in use by the World Wide Web global information initiative since 1990. This document is Part 5 of the seven-part specification that defines the protocol referred to as &#34;HTTP/1.1&#34; and, taken together, obsoletes RFC 2616. Part 5 defines range-specific requests and the rules for constructing and combining responses to those requests.">
@@ -432 +432 @@
             </tr>
             <tr>
-               <td class="left">Expires: January 26, 2012</td>
+               <td class="left">Expires: January 27, 2012</td>
                <td class="right">J. Mogul</td>
             </tr>
@@ -489 +489 @@
             <tr>
                <td class="left"></td>
-               <td class="right">July 25, 2011</td>
+               <td class="right">July 26, 2011</td>
             </tr>
          </tbody>
@@ -517 +517 @@
          in progress”.
       </p>
-      <p>This Internet-Draft will expire on January 26, 2012.</p>
+      <p>This Internet-Draft will expire on January 27, 2012.</p>
       <h1><a id="rfc.copyrightnotice" href="#rfc.copyrightnotice">Copyright Notice</a></h1>
       <p>Copyright © 2011 IETF Trust and the persons identified as the document authors. All rights reserved.</p>
@@ -571 +571 @@
             </ul>
          </li>
-         <li>7.&nbsp;&nbsp;&nbsp;<a href="#security.considerations">Security Considerations</a></li>
+         <li>7.&nbsp;&nbsp;&nbsp;<a href="#security.considerations">Security Considerations</a><ul>
+               <li>7.1&nbsp;&nbsp;&nbsp;<a href="#overlapping.ranges">Overlapping Ranges</a></li>
+            </ul>
+         </li>
          <li>8.&nbsp;&nbsp;&nbsp;<a href="#ack">Acknowledgments</a></li>
          <li>9.&nbsp;&nbsp;&nbsp;<a href="#rfc.references">References</a><ul>
@@ -1032 +1035 @@
       <p id="rfc.section.6.3.p.3">The change controller is: "IETF (iesg@ietf.org) - Internet Engineering Task Force".</p>
       <h1 id="rfc.section.7"><a href="#rfc.section.7">7.</a>&nbsp;<a id="security.considerations" href="#security.considerations">Security Considerations</a></h1>
-      <p id="rfc.section.7.p.1">No additional security considerations have been identified beyond those applicable to HTTP in general <a href="#Part1" id="rfc.xref.Part1.6"><cite title="HTTP/1.1, part 1: URIs, Connections, and Message Parsing">[Part1]</cite></a>.
+      <p id="rfc.section.7.p.1">This section is meant to inform application developers, information providers, and users of the security limitations in HTTP/1.1
+         as described by this document. The discussion does not include definitive solutions to the problems revealed, though it does
+         make some suggestions for reducing security risks.
+      </p>
+      <h2 id="rfc.section.7.1"><a href="#rfc.section.7.1">7.1</a>&nbsp;<a id="overlapping.ranges" href="#overlapping.ranges">Overlapping Ranges</a></h2>
+      <p id="rfc.section.7.1.p.1">Range requests containing overlapping ranges may lead to the situation where a server is sending far more data than the size
+         of the complete resource representation.
       </p>
       <h1 id="rfc.section.8"><a href="#rfc.section.8">8.</a>&nbsp;<a id="ack" href="#ack">Acknowledgments</a></h1>
@@ -1392 +1401 @@
       <p id="rfc.section.D.16.p.1">None.</p>
       <h2 id="rfc.section.D.17"><a href="#rfc.section.D.17">D.17</a>&nbsp;<a id="changes.since.15" href="#changes.since.15">Since draft-ietf-httpbis-p5-range-15</a></h2>
-      <p id="rfc.section.D.17.p.1">None.</p>
+      <p id="rfc.section.D.17.p.1">Closed issues: </p>
+      <ul>
+         <li> &lt;<a href="http://trac.tools.ietf.org/wg/httpbis/trac/ticket/175">http://trac.tools.ietf.org/wg/httpbis/trac/ticket/175</a>&gt;: "Security consideration: range flooding"
+         </li>
+      </ul>
       <h1 id="rfc.index"><a href="#rfc.index">Index</a></h1>
       <p class="noprint"><a href="#rfc.index.2">2</a> <a href="#rfc.index.4">4</a> <a href="#rfc.index.A">A</a> <a href="#rfc.index.C">C</a> <a href="#rfc.index.G">G</a> <a href="#rfc.index.H">H</a> <a href="#rfc.index.I">I</a> <a href="#rfc.index.M">M</a> <a href="#rfc.index.P">P</a> <a href="#rfc.index.R">R</a> <a href="#rfc.index.S">S</a> 
@@ -1468 +1481 @@
             </li>
             <li><a id="rfc.index.P" href="#rfc.index.P"><b>P</b></a><ul>
-                  <li><em>Part1</em>&nbsp;&nbsp;<a href="#rfc.xref.Part1.1">1.2</a>, <a href="#rfc.xref.Part1.2">1.2.1</a>, <a href="#rfc.xref.Part1.3">1.2.1</a>, <a href="#rfc.xref.Part1.4">1.2.1</a>, <a href="#rfc.xref.Part1.5">1.2.2</a>, <a href="#rfc.xref.Part1.6">7</a>, <a href="#Part1"><b>9.1</b></a><ul>
+                  <li><em>Part1</em>&nbsp;&nbsp;<a href="#rfc.xref.Part1.1">1.2</a>, <a href="#rfc.xref.Part1.2">1.2.1</a>, <a href="#rfc.xref.Part1.3">1.2.1</a>, <a href="#rfc.xref.Part1.4">1.2.1</a>, <a href="#rfc.xref.Part1.5">1.2.2</a>, <a href="#Part1"><b>9.1</b></a><ul>
                         <li><em>Section 1.2</em>&nbsp;&nbsp;<a href="#rfc.xref.Part1.1">1.2</a></li>
                         <li><em>Section 1.2.2</em>&nbsp;&nbsp;<a href="#rfc.xref.Part1.2">1.2.1</a>, <a href="#rfc.xref.Part1.3">1.2.1</a>, <a href="#rfc.xref.Part1.4">1.2.1</a></li>

draft-ietf-httpbis/latest/p5-range.xml

@@ -984 +984 @@
 <section title="Security Considerations" anchor="security.considerations">
 <t>
-   No additional security considerations have been identified beyond
-   those applicable to HTTP in general &messaging;.
-</t>
+   This section is meant to inform application developers, information
+   providers, and users of the security limitations in HTTP/1.1 as
+   described by this document. The discussion does not include
+   definitive solutions to the problems revealed, though it does make
+   some suggestions for reducing security risks.
+</t>
+<section title="Overlapping Ranges" anchor="overlapping.ranges">
+<t>
+   Range requests containing overlapping ranges may lead to the situation
+   where a server is sending far more data than the size of the complete
+   resource representation.
+</t>
+</section>
 </section>
 
@@ -1693 +1703 @@
 <section title="Since draft-ietf-httpbis-p5-range-15" anchor="changes.since.15">
 <t>
-  None.
+  Closed issues:
+  <list style="symbols">
+    <t>
+      <eref target="http://trac.tools.ietf.org/wg/httpbis/trac/ticket/175"/>:
+      "Security consideration: range flooding"
+    </t>
+  </list>
 </t>
 </section>