nginx security advisory (CVE-2017-7529)
mdounin at mdounin.ru
Wed Jul 12 12:01:32 UTC 2017
On Tue, Jul 11, 2017 at 05:45:15PM -0400, c0nw0nk wrote:
> Couldn't you use
> max_ranges 0;
> To disable byte range support completely.
Disabling ranges completely will mitigate the issue as well. But
as the issue only affects requests with multiple ranges, it is not
needed, "max_ranges 1;" is enough.
> Also won't setting the value of ranges to max_ranges 1; break pseudo
> streaming in HTML5 video apps etc. ?
No, pseudo streaming generally uses requests with a single range,
and these are allowed with "max_ranges 1;". Requests with
multiple ranges are very rare in practice (AFAIK, they are used
by Adobe Acrobat and MS Office, but I've never heard of anything
more popular than that).
More information about the nginx