nginx security advisory (CVE-2017-7529)

Maxim Dounin mdounin at
Wed Jul 12 12:01:32 UTC 2017


On Tue, Jul 11, 2017 at 05:45:15PM -0400, c0nw0nk wrote:

> Couldn't you use 
> max_ranges 0;
> To disable byte range support completely.

Disabling ranges completely will mitigate the issue as well.  But 
as the issue only affects requests with multiple ranges, it is not 
needed, "max_ranges 1;" is enough.

> Also won't setting the value of ranges to max_ranges 1; break pseudo
> streaming in HTML5 video apps etc. ?

No, pseudo streaming generally uses requests with a single range, 
and these are allowed with "max_ranges 1;".  Requests with 
multiple ranges are very rare in practice (AFAIK, they are used 
by Adobe Acrobat and MS Office, but I've never heard of anything 
more popular than that).

Maxim Dounin

More information about the nginx mailing list