Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sanity checks for HTTP range requests [SPR-17318] #21851

Closed
spring-projects-issues opened this issue Oct 1, 2018 · 0 comments
Closed

Sanity checks for HTTP range requests [SPR-17318] #21851

spring-projects-issues opened this issue Oct 1, 2018 · 0 comments
Assignees
@rstoyanchev
Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) status: backported An issue that has been backported to maintenance branches type: enhancement A general enhancement
Milestone
5.1.1

Comments

@spring-projects-issues
Copy link
Collaborator

Rossen Stoyanchev opened SPR-17318 and commented

When serving static resources, or as of 5.0 also when a controller returns a Resource, if the "Range" header is present, one or more subsets of the content may be served instead of the entire content. Some basic validations to the requested ranges should be applied as recommended in RFC 7233 Section 3.1:

A server that supports range requests MAY ignore or reject a Range
header field that consists of more than two overlapping ranges, or a
set of many small ranges that are not listed in ascending order,
since both are indications of either a broken client or a deliberate
denial-of-service attack.

Affects: 4.3.20, 5.0.9, 5.1 GA

Referenced from: commits 0447726, 423aa28, c8e3200

Backported to: 5.0.10, 4.3.20
@spring-projects-issues spring-projects-issues added status: backported An issue that has been backported to maintenance branches type: enhancement A general enhancement in: web Issues in web modules (web, webmvc, webflux, websocket) labels Jan 11, 2019
@spring-projects-issues spring-projects-issues added this to the 5.1.1 milestone Jan 11, 2019
This was referenced Jan 11, 2019
Closed
Closed
@poutsma poutsma mentioned this issue Apr 13, 2021
Closed
@sunSUNQ sunSUNQ mentioned this issue Mar 6, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rstoyanchev rstoyanchev

Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) status: backported An issue that has been backported to maintenance branches type: enhancement A general enhancement
Projects
None yet
Milestone
5.1.1
Development

No branches or pull requests
2 participants
@rstoyanchev @spring-projects-issues