nginx security advisory (CVE-2017-7529)

Maxim Dounin mdounin at mdounin.ru
Thu Jul 13 14:13:34 UTC 2017


Hello!

On Wed, Jul 12, 2017 at 09:42:04PM -0400, martinzhou wrote:

> Maxim Dounin Wrote:
> -------------------------------------------------------
> > Hello!
> > 
> > On Tue, Jul 11, 2017 at 05:45:15PM -0400, c0nw0nk wrote:
> > 
> > > Couldn't you use 
> > > 
> > > max_ranges 0;
> > > 
> > > To disable byte range support completely.
> > 
> > Disabling ranges completely will mitigate the issue as well.  But 
> > as the issue only affects requests with multiple ranges, it is not 
> > needed, "max_ranges 1;" is enough.
> > 
> > > Also won't setting the value of ranges to max_ranges 1; break pseudo
> > > streaming in HTML5 video apps etc. ?
> > 
> > No, pseudo streaming generally uses requests with a single range, 
> > and these are allowed with "max_ranges 1;".  Requests with 
> > multiple ranges are very rare in practice (AFAIK, they are used 
> > by Adobe Acrobat and MS Office, but I've never heard of anything 
> > more popular than that).
> 
> I found that in some cases (when the browser is requesting for a mp3 file),
> the HTTP header will be formed as "Range: bytes=1-100, 200-100". I'm

AFAIK, no general-purpose browsers do this, at least no popular 
ones.  Some music players may do so though.

> wondering if we set "max_ranges 0;" or "max_ranges 1;" in the config, it
> will cause the failure of loading such files. 

Full response with code 200 will be returned to the client.  This 
is valid response as per RFC, and all HTTP-complaint clients are 
expected to understand it and handle it properly.  Also, this is 
what happens regularly when a server does not support range 
requests, so is highly unlikely to break any clients.

I wouldn't recommend using "max_range 0;" though, as it will 
disable single-range requests as well, and this means that 
download resumption and seeking won't work.

> Also, I'm wondering if I've already set a comparatively "big" number after
> the "max_ranges", for example, "max_ranges 100;", do I still need to adjust
> the number to a low value (e.g. "1" or "2")?

For the workaround to work, multi-range requests need to be 
disabled.  That is, you should use "max_ranges 1;".

-- 
Maxim Dounin
http://nginx.org/


More information about the nginx mailing list