nginx security advisory (CVE-2017-7529)

Maxim Dounin mdounin at mdounin.ru
Wed Jul 12 12:01:32 UTC 2017


Hello!

On Tue, Jul 11, 2017 at 05:45:15PM -0400, c0nw0nk wrote:

> Couldn't you use 
> 
> max_ranges 0;
> 
> To disable byte range support completely.

Disabling ranges completely will mitigate the issue as well.  But 
as the issue only affects requests with multiple ranges, it is not 
needed, "max_ranges 1;" is enough.

> Also won't setting the value of ranges to max_ranges 1; break pseudo
> streaming in HTML5 video apps etc. ?

No, pseudo streaming generally uses requests with a single range, 
and these are allowed with "max_ranges 1;".  Requests with 
multiple ranges are very rare in practice (AFAIK, they are used 
by Adobe Acrobat and MS Office, but I've never heard of anything 
more popular than that).

-- 
Maxim Dounin
http://nginx.org/


More information about the nginx mailing list