Ignore:
Timestamp:
Feb 20, 2012, 9:20:33 AM (8 years ago)
Author:
ylafon@…
Message:

Explicitly allow servers to combine ranges, mitigate the use of range request to do denial-of-services attacks

File:
1 edited

Legend:

Unmodified
Added
Removed
  • draft-ietf-httpbis/latest/p5-range.xml

    r1524 r1542  
    456456   response &SHOULD; include a Content-Range header field
    457457   specifying the current length of the representation (see <xref target="header.content-range"/>).
    458    This response &MUST-NOT; use the multipart/byteranges content-type.
    459 </t>
    460 </section>
     458   This response &MUST-NOT; use the multipart/byteranges content-type. For example,
     459</t>
     460<figure><artwork type="example">
     461  HTTP/1.1 416 Requested Range Not Satisfiable
     462  Date: Mon, 20 Jan 2012 15:41:54 GMT
     463  Content-Range: bytes */47022
     464  Content-Type: image/gif
     465</artwork></figure>
     466<x:note>
     467  <t>
     468    <x:h>Note:</x:h> Clients cannot depend on servers to send a 416 (Requested
     469    range not satisfiable) response instead of a 200 (OK) response for
     470    an unsatisfiable Range header field, since not all servers
     471    implement this header field.
     472  </t>
     473</x:note>
     474</section>
     475</section>
     476
     477<section title="Responses to a Range Request">
     478<section title="Response to a Single and Multiple Ranges Request">
     479<t>
     480   When an HTTP message includes the content of a single range (for
     481   example, a response to a request for a single range, or to a request
     482   for a set of ranges that overlap without any holes), this content is
     483   transmitted with a Content-Range header field, and a Content-Length header
     484   field showing the number of bytes actually transferred. For example,
     485</t>
     486<figure><artwork type="example">
     487  HTTP/1.1 206 Partial Content
     488  Date: Wed, 15 Nov 1995 06:25:24 GMT
     489  Last-Modified: Wed, 15 Nov 1995 04:58:08 GMT
     490  Content-Range: bytes 21010-47021/47022
     491  Content-Length: 26012
     492  Content-Type: image/gif
     493</artwork></figure>
     494<t>
     495   When an HTTP message includes the content of multiple ranges (for
     496   example, a response to a request for multiple non-overlapping
     497   ranges), these are transmitted as a multipart message. The multipart
     498   media type used for this purpose is "multipart/byteranges" as defined
     499   in <xref target="internet.media.type.multipart.byteranges"/>.
     500</t>
     501<t>
     502   A server &MAY; combine requested ranges when those ranges are overlapping
     503   (See <xref target="security.considerations"/>).
     504</t>
     505<t>
     506   A response to a request for a single range &MUST-NOT; be sent using the
     507   multipart/byteranges media type.  A response to a request for
     508   multiple ranges, whose result is a single range, &MAY; be sent as a
     509   multipart/byteranges media type with one part. A client that cannot
     510   decode a multipart/byteranges message &MUST-NOT; ask for multiple
     511   ranges in a single request.
     512</t>
     513<t>
     514   When a client requests multiple ranges in one request, the
     515   server &SHOULD; return them in the order that they appeared in the
     516   request.
     517</t>
    461518</section>
    462519
     
    510567   response or as multiple 206 responses with one continuous range each.
    511568</t>
     569</section>
    512570</section>
    513571
     
    652710</t>
    653711<t>
    654    When an HTTP message includes the content of a single range (for
    655    example, a response to a request for a single range, or to a request
    656    for a set of ranges that overlap without any holes), this content is
    657    transmitted with a Content-Range header field, and a Content-Length header
    658    field showing the number of bytes actually transferred. For example,
    659 </t>
    660 <figure><artwork type="example">
    661   HTTP/1.1 206 Partial Content
    662   Date: Wed, 15 Nov 1995 06:25:24 GMT
    663   Last-Modified: Wed, 15 Nov 1995 04:58:08 GMT
    664   Content-Range: bytes 21010-47021/47022
    665   Content-Length: 26012
    666   Content-Type: image/gif
    667 </artwork></figure>
    668 <t>
    669    When an HTTP message includes the content of multiple ranges (for
    670    example, a response to a request for multiple non-overlapping
    671    ranges), these are transmitted as a multipart message. The multipart
    672    media type used for this purpose is "multipart/byteranges" as defined
    673    in <xref target="internet.media.type.multipart.byteranges"/>.
    674 </t>
    675 <t>
    676    A response to a request for a single range &MUST-NOT; be sent using the
    677    multipart/byteranges media type.  A response to a request for
    678    multiple ranges, whose result is a single range, &MAY; be sent as a
    679    multipart/byteranges media type with one part. A client that cannot
    680    decode a multipart/byteranges message &MUST-NOT; ask for multiple
    681    ranges in a single request.
    682 </t>
    683 <t>
    684    When a client requests multiple ranges in one request, the
    685    server &SHOULD; return them in the order that they appeared in the
    686    request.
    687 </t>
    688 <t>
    689    If the server ignores a byte-range-spec because it is syntactically
    690    invalid, the server &SHOULD; treat the request as if the invalid Range
     712   If the server ignores a byte-range-spec (for example if it is
     713   syntactically invalid, or if it may be seen as a denial-of-service
     714   attack), the server &SHOULD; treat the request as if the invalid Range
    691715   header field did not exist. (Normally, this means return a 200
    692716   response containing the full representation).
    693717</t>
    694 <t>
    695    If the server receives a request (other than one including an If-Range
    696    header field) with an unsatisfiable Range header
    697    field (that is, all of whose byte-range-spec values have a
    698    first-byte-pos value greater than the current length of the selected
    699    resource), it &SHOULD; return a response code of 416 (Requested range
    700    not satisfiable) (<xref target="status.416"/>).
    701 </t>
    702 <x:note>
    703   <t>
    704     <x:h>Note:</x:h> Clients cannot depend on servers to send a 416 (Requested
    705     range not satisfiable) response instead of a 200 (OK) response for
    706     an unsatisfiable Range header field, since not all servers
    707     implement this header field.
    708   </t>
    709 </x:note>
    710718</section>
    711719
     
    18791887<section title="Since draft-ietf-httpbis-p5-range-18" anchor="changes.since.18">
    18801888<t>
    1881   None yet.
     1889  Closed issues:
     1890  <list style="symbols">
     1891    <t>
     1892      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/311"/>:
     1893      "Add limitations to Range to reduce its use as a denial-of-service tool"
     1894    </t>
     1895  </list>
    18821896</t>
    18831897</section>
Note: See TracChangeset for help on using the changeset viewer.