limit_rate dynamically using $arg - security

[shoshomiga]

Jonathan Matthews Wrote:
-------------------------------------------------------
> On 4 April 2012 21:40, shoshomiga
> <nginx-forum at nginx.us> wrote:
> > I've been looking for a way to limit videos to
> their bitrate to save
> > bandwidth and I've come up with this code
> >
> >            if ($arg_LIMITSPEED) {
> >              set $limit_rate
> $arg_LIMITSPEED;
> >            }
> >
> > It works but I would like to know if this code
> would be secure to use on
> > a production server.
> >
> > I am not worried about users setting their
> LIMITSPEED high on their own
> > because I am limiting speeds at the network
> level as well.
> 
> To be honest, I'm not sure what definition of
> "insecure" you could be
> thinking of that *isn't* "the user can override it
> trivially" :-)
> 
> If you're doing the rate limiting at the network
> level properly, then
> why duplicate the effort? It's just one more place
> you have to change
> when you upgrade the speed limits.
> 
> Personally, I'm prototyping a streaming service at
> the moment using
> http://wiki.nginx.org/X-accel#X-Accel-Limit-Rate
> and a double
> proxy_pass (via X-Accel-Redirect to an internal
> storage proxy_pass).
> It all looks like it works nicely, and allows the
> dumb storage backend
> to throw data at the nginx router as fast as nginx
> accepts it, and for
> the first (intelligent) proxy_pass backend to
> *decide* the bitrate via
> X-Accel-Limit-Rate. I'll blog it soonish :-)
> 
> Jonathan
> -- 
> Jonathan Matthews
> London, Oxford, UK
> http://www.jpluscplusm.com/contact.html
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

By security I meant vulnerability to buffer overflows and other exploits
since limit_rate is probably not meant to recieve that kind of
unsanitized input.

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,224950,224967#msg-224967