On Tuesday 23 August 2011, William A. Rowe Jr. wrote:
> On 8/23/2011 6:08 AM, Stefan Fritsch wrote:
> > http://seclists.org/fulldisclosure/2011/Aug/175
> >
> > I haven't looked into it so far. And I am not sure I will have
> > time today.
>
> Until range can be completely addressed, avoiding excessive numbers
> of ranges (tricky) or overlapping ranges (pretty
> straightforward)... what about simply disabling deflate on range
> requests?
There is this PR:
https://issues.apache.org/bugzilla/show_bug.cgi?id=49772 "mod_deflate kicks itself out on Content-Range responses but not on
multipart/byteranges"
This may be one of the issues. But as Rüdiger pointed out, there is
also an issue without mod_deflate.
From looking at the code, I think the problem is the bucket structs.
With N the number of requested ranges, the initial brigade is
partitioned into 2*N buckets at the maximum. Then those buckets are
copied into the output brigade N times, which means that O(N^2)
buckets are created. The data is not copied, and only N "A-B" strings
are allocated from the pool. But the sum of those is limited by
LimitRequestFieldSize, so it shouldn't be a problem.
Maybe the byte-range filter should call ap_pass_brigade every 10
ranges or so? Then the buckets should be freed earlier (at least if
all filters down the chain behave correctly).