Welcome! Log In Create A New Profile

Re: nginx security advisory (CVE-2017-7529)

Forum List Message List New Topic Print View

Maxim Dounin

July 12, 2017 08:02AM

Hello!

On Tue, Jul 11, 2017 at 05:45:15PM -0400, c0nw0nk wrote:

> Couldn't you use
>
> max_ranges 0;
>
> To disable byte range support completely.

Disabling ranges completely will mitigate the issue as well. But
as the issue only affects requests with multiple ranges, it is not
needed, "max_ranges 1;" is enough.

> Also won't setting the value of ranges to max_ranges 1; break pseudo
> streaming in HTML5 video apps etc. ?

No, pseudo streaming generally uses requests with a single range,
and these are allowed with "max_ranges 1;". Requests with
multiple ranges are very rare in practice (AFAIK, they are used
by Adobe Acrobat and MS Office, but I've never heard of anything
more popular than that).

--
Maxim Dounin
http://nginx.org/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
nginx security advisory (CVE-2017-7529)	Maxim Dounin	July 11, 2017 11:50AM
Re: nginx security advisory (CVE-2017-7529)	c0nw0nk	July 11, 2017 05:45PM
Re: nginx security advisory (CVE-2017-7529)	darylwang	July 11, 2017 06:56PM
Re: nginx security advisory (CVE-2017-7529)	Maxim Dounin	July 12, 2017 08:02AM
Re: nginx security advisory (CVE-2017-7529)	martinzhou	July 12, 2017 09:42PM
Re: nginx security advisory (CVE-2017-7529)	Maxim Dounin	July 13, 2017 10:14AM
Re: nginx security advisory (CVE-2017-7529)	Shuxin Yang	July 21, 2017 01:34AM
Re: nginx security advisory (CVE-2017-7529)	Maxim Dounin	August 09, 2017 11:14AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 268

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018