nginx security advisory (CVE-2017-7529)
mdounin at mdounin.ru
Thu Jul 13 14:13:34 UTC 2017
On Wed, Jul 12, 2017 at 09:42:04PM -0400, martinzhou wrote:
> Maxim Dounin Wrote:
> > Hello!
> > On Tue, Jul 11, 2017 at 05:45:15PM -0400, c0nw0nk wrote:
> > > Couldn't you use
> > >
> > > max_ranges 0;
> > >
> > > To disable byte range support completely.
> > Disabling ranges completely will mitigate the issue as well. But
> > as the issue only affects requests with multiple ranges, it is not
> > needed, "max_ranges 1;" is enough.
> > > Also won't setting the value of ranges to max_ranges 1; break pseudo
> > > streaming in HTML5 video apps etc. ?
> > No, pseudo streaming generally uses requests with a single range,
> > and these are allowed with "max_ranges 1;". Requests with
> > multiple ranges are very rare in practice (AFAIK, they are used
> > by Adobe Acrobat and MS Office, but I've never heard of anything
> > more popular than that).
> I found that in some cases (when the browser is requesting for a mp3 file),
> the HTTP header will be formed as "Range: bytes=1-100, 200-100". I'm
AFAIK, no general-purpose browsers do this, at least no popular
ones. Some music players may do so though.
> wondering if we set "max_ranges 0;" or "max_ranges 1;" in the config, it
> will cause the failure of loading such files.
Full response with code 200 will be returned to the client. This
is valid response as per RFC, and all HTTP-complaint clients are
expected to understand it and handle it properly. Also, this is
what happens regularly when a server does not support range
requests, so is highly unlikely to break any clients.
I wouldn't recommend using "max_range 0;" though, as it will
disable single-range requests as well, and this means that
download resumption and seeking won't work.
> Also, I'm wondering if I've already set a comparatively "big" number after
> the "max_ranges", for example, "max_ranges 100;", do I still need to adjust
> the number to a low value (e.g. "1" or "2")?
For the workaround to work, multi-range requests need to be
disabled. That is, you should use "max_ranges 1;".
More information about the nginx