You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2011/09/23 01:13:08 UTC

DO NOT REPLY [Bug 51878] New: 2.2.21 is not compliant for byterange 0- returning 200 instead of 206

https://issues.apache.org/bugzilla/show_bug.cgi?id=51878

             Bug #: 51878
           Summary: 2.2.21 is not compliant for byterange 0- returning 200
                    instead of 206
           Product: Apache httpd-2
           Version: 2.2.21
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: All
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: galt@soe.ucsc.edu
    Classification: Unclassified


2.2.21 is not compliant for byterange 0- returning 200 instead of 206.

This breaks our software.
We see the 200 response as a failure to understand the byterange request.

http://httpd.apache.org/security/CVE-2011-3192.txt
The fixes for CVE-2011-3192 in 2.2.20 and 2.2.21 are causing
servers to return 200 instead of 206 for this case.
(see the CAVEATS section of CVE-2011-3192).

RFC
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html

Section 14.35.1 Byte Ranges says that, if the requested range is satisfiable, 
and 0- certainly is, then "the server SHOULD return a response with a status of
206 (Partial Content) containing the satisfiable ranges of the entity-body. "

People everywhere should not have to dink around with their clients software.
You should follow the standard.  It should be easy for you to fix this.

-Thank you!
Galt Barber
UCSC Genome Browser

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 51878] 2.2.21 is not compliant for byterange 0- returning 200 instead of 206

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=51878

--- Comment #5 from galt@soe.ucsc.edu 2011-09-28 23:32:35 UTC ---
Thanks for the quick fix!
Any idea when 2.2.22 will be released?
We have users that will be eager to get it.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 51878] 2.2.21 is not compliant for byterange 0- returning 200 instead of 206

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=51878

--- Comment #2 from galt@soe.ucsc.edu 2011-09-22 23:36:50 UTC ---
Here's what someone else wrote on the issue:

https://developer.mozilla.org/en/Configuring_servers_for_Ogg_media

<quote>

Handle HTTP 1.1 byte range requests correctly

In order to support seeking and playing back regions of the media that aren't
yet downloaded, Gecko uses HTTP 1.1 byte-range requests to retrieve the media
from the seek target position. In addition, if you don't serve
X-Content-Duration headers, Gecko uses byte-range requests to seek to the end
of the media (assuming you serve the Content-Length header) in order to
determine the duration of the media.

Your server should accept the "Accept-Ranges: bytes" HTTP header if it can
accept byte-range requests. It must return "206: Partial content" to all byte
range requests; otherwise, Gecko can't be sure you actually support byte range
requests.

Your server must also return "206: Partial Content" for the request "Range:
bytes=0-" as well.

</quote>

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 51878] 2.2.21 is not compliant for byterange 0- returning 200 instead of 206

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=51878

--- Comment #9 from galt@soe.ucsc.edu 2011-10-05 20:13:13 UTC ---
(In reply to comment #8)
oops, meant to say:

> then the client will NOT know what to do with w.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 51878] 2.2.21 is not compliant for byterange 0- returning 200 instead of 206

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=51878

Eric Covener <co...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|REOPENED                    |RESOLVED
         Resolution|                            |FIXED

--- Comment #11 from Eric Covener <co...@gmail.com> 2012-03-21 12:04:32 UTC ---
(In reply to comment #10)
> When "killapache.pl" script is executed against Opensource Apache 2.2.22
> Windows binary, it shows "host seems vuln" message. This behaviour was not
> observed in Apache 2.2.21 version. Whether this means CVE-2011-3192
> vulnerability is re-introduced in Opensource Apache 2.2.22 version while fixing
> the below byterange regression?
> 
> *) Fix a regression introduced by the CVE-2011-3192 byterange fix in 2.2.20:
> A range of '0-' will now return 206 instead of 200. PR 51878.
> [Jim Jagielski]

No, it means killapache.pl has crude detection for vulnerable hosts.  It flags
any system that responds to range headers.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 51878] 2.2.21 is not compliant for byterange 0- returning 200 instead of 206

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=51878

Ruediger Pluem <rp...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 51878] 2.2.21 is not compliant for byterange 0- returning 200 instead of 206

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=51878

Stefan Fritsch <sf...@sfritsch.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |FixedInTrunk

--- Comment #4 from Stefan Fritsch <sf...@sfritsch.de> 2011-09-28 21:50:19 UTC ---
trunk: r1175980, r1175992
2.2.x: r1177080 will be in 2.2.22

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 51878] 2.2.21 is not compliant for byterange 0- returning 200 instead of 206

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=51878

--- Comment #3 from Stefan Fritsch <sf...@sfritsch.de> 2011-09-23 21:44:58 UTC ---
In addition to gecko (i.e. firefox) and libavformat (as reported on the dev
list), vlc is also broken by this change. This means that it breaks quite a few
popular video players. Therefore I am for reverting this change. We have
workarounds for other clients in the code, too.

Maybe Roy can get it clarified in HTTP/1.1bis that this is expected behaviour,
and then we can change it back again in httpd 3.0.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 51878] 2.2.21 is not compliant for byterange 0- returning 200 instead of 206

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=51878

--- Comment #8 from galt@soe.ucsc.edu 2011-10-05 20:08:29 UTC ---
Just to make the point, if the client software asks for x,y,z,
but apache returns w (even if technically w is a superset of x,y,z),
then the client will know what to do with w.

The way we use apache here is for random access to huge files,
often 180GB or larger. We sure as heck don't want the whole file back.
We usually read the header block (request 1), which tells 
where to find the index (request 2), which tells us were 
to jump to in the data (request 3).  Of course we cache things.
We do not ask for multiple blocks at once.

With some formats, we are able to determine in advance how
much we are reading, but with others we do not know ahead of 
time when we will stop reading, so that the range end is unknown.

Since 200 is what servers that do not support byteranges return,
we reject those servers as soon as we see the header.
It must be 206 to continue.  The fact that there is just one 
case where the part is equal to the whole, does not mean
that we want a 200 instead of a 206.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 51878] 2.2.21 is not compliant for byterange 0- returning 200 instead of 206

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=51878

--- Comment #7 from galt@soe.ucsc.edu 2011-10-05 18:42:15 UTC ---
We have tested the patch here at UCSC against 2.2.21 and it worked fine.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 51878] 2.2.21 is not compliant for byterange 0- returning 200 instead of 206

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=51878

--- Comment #6 from William A. Rowe Jr. <wr...@apache.org> 2011-09-28 23:46:17 UTC ---
There are no plans at present.

2.2.22 isn't likely to be released until we have feedback from the community
who report such issues... sf gave you the link to the patch (click on r1177080 
above), if you can apply to 2.2.21 and report back if it resolves all of your
observed issues, or if you continue to see misbehavior, this would be very
helpful towards moving to the 2.2.22 release.

For completeness, here's my own counter-argument documenting why reverting this
behavior is appropriate from a bandwidth consumption perspective;

http://mail-archives.apache.org/mod_mbox/httpd-dev/201109.mbox/%3C4E80BDF7.8040601@rowe-clan.net%3E

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 51878] 2.2.21 is not compliant for byterange 0- returning 200 instead of 206

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=51878

--- Comment #12 from Jackie Rosen <ja...@hushmail.com> ---
*** Bug 260998 has been marked as a duplicate of this bug. ***
Seen from the domain http://volichat.com
Page where seen: http://volichat.com/adult-chat-rooms
Marked for reference. Resolved as fixed @bugzilla.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 51878] 2.2.21 is not compliant for byterange 0- returning 200 instead of 206

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=51878

matty <ma...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|FIXED                       |

--- Comment #10 from matty <ma...@gmail.com> 2012-03-21 11:39:21 UTC ---
When "killapache.pl" script is executed against Opensource Apache 2.2.22
Windows binary, it shows "host seems vuln" message. This behaviour was not
observed in Apache 2.2.21 version. Whether this means CVE-2011-3192
vulnerability is re-introduced in Opensource Apache 2.2.22 version while fixing
the below byterange regression?

*) Fix a regression introduced by the CVE-2011-3192 byterange fix in 2.2.20:
A range of '0-' will now return 206 instead of 200. PR 51878.
[Jim Jagielski]

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 51878] 2.2.21 is not compliant for byterange 0- returning 200 instead of 206

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=51878

--- Comment #1 from William A. Rowe Jr. <wr...@apache.org> 2011-09-22 23:28:09 UTC ---
As a request for 0- is satisfiable as either a 200, a 206 single item response,
or a 206 multiple ranges response, the server appears free to make the most
efficient bandwidth and processing cycles election of responses.

All clients must degrade gracefully to 200 replies, per spec, and changing this
newly introduced behavior is very unlikely.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org