On Fri, 31 Oct 2025 14:04:49 GMT, Peyang <[email protected]> wrote: >> src/jdk.httpserver/share/classes/sun/net/httpserver/simpleserver/FileServerHandler.java >> line 310: >> >>> 308: return true; >>> 309: } >>> 310: servePartialContents(exchange, path, ranges); >> >> The RFC says: >> >>> A server that supports range requests MAY ignore or reject a >>> [Range](https://www.rfc-editor.org/rfc/rfc9110.html#field.range) header >>> field that contains an invalid >>> [ranges-specifier](https://www.rfc-editor.org/rfc/rfc9110.html#rule.ranges-specifier) >>> ([Section >>> 14.1.1](https://www.rfc-editor.org/rfc/rfc9110.html#range.specifiers)), a >>> [ranges-specifier](https://www.rfc-editor.org/rfc/rfc9110.html#rule.ranges-specifier) >>> with more than two overlapping ranges, or a set of many small ranges that >>> are not listed in ascending order, since these are indications of either a >>> broken client or a deliberate denial-of-service attack ([Section >>> 17.15](https://www.rfc-editor.org/rfc/rfc9110.html#overlapping.ranges)). >> >> I would expect a validation of the ranges list before we serve them. > > I recall reading this part of the RFC before. > Since it says *MAY*, and given that this is a simple web server, I wasn't > sure if such validations are strictly required, > so I didn't implement them. > But if you think it's necessary, I can add them now.
Yes please. I'd prefer to have built-in validation. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/28021#discussion_r2481667982
