nginx security advisory (CVE-2017-7529)
martinzhou
nginx-forum at forum.nginx.org
Thu Jul 13 01:42:04 UTC 2017
Maxim Dounin Wrote:
-------------------------------------------------------
> Hello!
>
> On Tue, Jul 11, 2017 at 05:45:15PM -0400, c0nw0nk wrote:
>
> > Couldn't you use
> >
> > max_ranges 0;
> >
> > To disable byte range support completely.
>
> Disabling ranges completely will mitigate the issue as well. But
> as the issue only affects requests with multiple ranges, it is not
> needed, "max_ranges 1;" is enough.
>
> > Also won't setting the value of ranges to max_ranges 1; break pseudo
> > streaming in HTML5 video apps etc. ?
>
> No, pseudo streaming generally uses requests with a single range,
> and these are allowed with "max_ranges 1;". Requests with
> multiple ranges are very rare in practice (AFAIK, they are used
> by Adobe Acrobat and MS Office, but I've never heard of anything
> more popular than that).
>
> --
> Maxim Dounin
> http://nginx.org/
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
I found that in some cases (when the browser is requesting for a mp3 file),
the HTTP header will be formed as "Range: bytes=1-100, 200-100". I'm
wondering if we set "max_ranges 0;" or "max_ranges 1;" in the config, it
will cause the failure of loading such files.
Also, I'm wondering if I've already set a comparatively "big" number after
the "max_ranges", for example, "max_ranges 100;", do I still need to adjust
the number to a low value (e.g. "1" or "2")?
Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275424,275462#msg-275462
More information about the nginx
mailing list