Welcome! Log In Create A New Profile

Advanced

Re: nginx security advisory (CVE-2017-7529)

July 12, 2017 09:42PM
Maxim Dounin Wrote:
-------------------------------------------------------
> Hello!
>
> On Tue, Jul 11, 2017 at 05:45:15PM -0400, c0nw0nk wrote:
>
> > Couldn't you use
> >
> > max_ranges 0;
> >
> > To disable byte range support completely.
>
> Disabling ranges completely will mitigate the issue as well. But
> as the issue only affects requests with multiple ranges, it is not
> needed, "max_ranges 1;" is enough.
>
> > Also won't setting the value of ranges to max_ranges 1; break pseudo
> > streaming in HTML5 video apps etc. ?
>
> No, pseudo streaming generally uses requests with a single range,
> and these are allowed with "max_ranges 1;". Requests with
> multiple ranges are very rare in practice (AFAIK, they are used
> by Adobe Acrobat and MS Office, but I've never heard of anything
> more popular than that).
>
> --
> Maxim Dounin
> http://nginx.org/
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx


I found that in some cases (when the browser is requesting for a mp3 file), the HTTP header will be formed as "Range: bytes=1-100, 200-100". I'm wondering if we set "max_ranges 0;" or "max_ranges 1;" in the config, it will cause the failure of loading such files.

Also, I'm wondering if I've already set a comparatively "big" number after the "max_ranges", for example, "max_ranges 100;", do I still need to adjust the number to a low value (e.g. "1" or "2")?
Subject Author Posted

nginx security advisory (CVE-2017-7529)

Maxim Dounin July 11, 2017 11:50AM

Re: nginx security advisory (CVE-2017-7529)

c0nw0nk July 11, 2017 05:45PM

Re: nginx security advisory (CVE-2017-7529)

darylwang July 11, 2017 06:56PM

Re: nginx security advisory (CVE-2017-7529)

Maxim Dounin July 12, 2017 08:02AM

Re: nginx security advisory (CVE-2017-7529)

martinzhou July 12, 2017 09:42PM

Re: nginx security advisory (CVE-2017-7529)

Maxim Dounin July 13, 2017 10:14AM

Re: nginx security advisory (CVE-2017-7529)

Shuxin Yang July 21, 2017 01:34AM

Re: nginx security advisory (CVE-2017-7529)

Maxim Dounin August 09, 2017 11:14AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 99
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready