nginx security advisory (CVE-2017-7529)

martinzhou nginx-forum at forum.nginx.org
Thu Jul 13 01:42:04 UTC 2017


Maxim Dounin Wrote:
-------------------------------------------------------
> Hello!
> 
> On Tue, Jul 11, 2017 at 05:45:15PM -0400, c0nw0nk wrote:
> 
> > Couldn't you use 
> > 
> > max_ranges 0;
> > 
> > To disable byte range support completely.
> 
> Disabling ranges completely will mitigate the issue as well.  But 
> as the issue only affects requests with multiple ranges, it is not 
> needed, "max_ranges 1;" is enough.
> 
> > Also won't setting the value of ranges to max_ranges 1; break pseudo
> > streaming in HTML5 video apps etc. ?
> 
> No, pseudo streaming generally uses requests with a single range, 
> and these are allowed with "max_ranges 1;".  Requests with 
> multiple ranges are very rare in practice (AFAIK, they are used 
> by Adobe Acrobat and MS Office, but I've never heard of anything 
> more popular than that).
> 
> -- 
> Maxim Dounin
> http://nginx.org/
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx


I found that in some cases (when the browser is requesting for a mp3 file),
the HTTP header will be formed as "Range: bytes=1-100, 200-100". I'm
wondering if we set "max_ranges 0;" or "max_ranges 1;" in the config, it
will cause the failure of loading such files. 

Also, I'm wondering if I've already set a comparatively "big" number after
the "max_ranges", for example, "max_ranges 100;", do I still need to adjust
the number to a low value (e.g. "1" or "2")?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275424,275462#msg-275462



More information about the nginx mailing list