Skip to content

Sanity checks for HTTP range requests [SPR-17318] #21851

New issue
New issue
Closed
Closed
Sanity checks for HTTP range requests [SPR-17318]#21851
Assignees
rstoyanchev
Labels
in: webIssues in web modules (web, webmvc, webflux, websocket)status: backportedAn issue that has been backported to maintenance branchestype: enhancementA general enhancement
Milestone
5.1.1
@spring-projects-issues

Description

@spring-projects-issues
spring-projects-issues
opened on Oct 1, 2018

Rossen Stoyanchev opened SPR-17318 and commented

When serving static resources, or as of 5.0 also when a controller returns a Resource, if the "Range" header is present, one or more subsets of the content may be served instead of the entire content. Some basic validations to the requested ranges should be applied as recommended in RFC 7233 Section 3.1:

A server that supports range requests MAY ignore or reject a Range
header field that consists of more than two overlapping ranges, or a
set of many small ranges that are not listed in ascending order,
since both are indications of either a broken client or a deliberate
denial-of-service attack.

Affects: 4.3.20, 5.0.9, 5.1 GA

Referenced from: commits 0447726, 423aa28, c8e3200

Backported to: 5.0.10, 4.3.20

Metadata

Metadata

Assignees

Labels

in: webIssues in web modules (web, webmvc, webflux, websocket)status: backportedAn issue that has been backported to maintenance branchestype: enhancementA general enhancement

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions