nginx security advisory (CVE-2017-7529)
Maxim Dounin
mdounin at mdounin.ru
Wed Jul 12 12:01:32 UTC 2017
Hello!
On Tue, Jul 11, 2017 at 05:45:15PM -0400, c0nw0nk wrote:
> Couldn't you use
>
> max_ranges 0;
>
> To disable byte range support completely.
Disabling ranges completely will mitigate the issue as well. But
as the issue only affects requests with multiple ranges, it is not
needed, "max_ranges 1;" is enough.
> Also won't setting the value of ranges to max_ranges 1; break pseudo
> streaming in HTML5 video apps etc. ?
No, pseudo streaming generally uses requests with a single range,
and these are allowed with "max_ranges 1;". Requests with
multiple ranges are very rare in practice (AFAIK, they are used
by Adobe Acrobat and MS Office, but I've never heard of anything
more popular than that).
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list