This patch removes the processing of `mxb' parameters in Accept

headers in mod_negotiation.  A second patch updates the manual to
reflect this (mxb is not documented directly in the manual but support
for it is implied in one place).

Reasons for removing this feature:

1) As currently implemented, the 'mxb' feature makes possible certain
denial-of-service attacks on negotiated content.  These attacks are
posssible for user communities which access an Apache server from
behind a HTTP/1.1 proxy which implements `Vary' related optimisations.
Plugging this denial of service hole without removing `mxb' is fairly
expensive in terms of degrading caching efficiency.

2) `mxb' is not in HTTP/1.0 or HTTP/1.1 or any other standard

3) Nobody seems to make use of 'mxb'.  (Balachander Krishnamurthy
kindly offered to grep some of his web traffic traces -- he did not
find a single Accept with mxb in a whole day of recent traffic, nor in
older traces)

4) Removing a feature makes a nice change from adding features.

Submitted by:	Koen Holtman <Koen.Holtman@cern.ch>

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@83288 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/docs/manual/content-negotiation.html b/docs/manual/content-negotiation.html
index 11dd0dbb4bf8a73a8c849fa8d74291496b5b4729..7bfaee5afa9fd2d95f58e3517738dfebcac8deb2 100644 (file)
--- a/docs/manual/content-negotiation.html
+++ b/docs/manual/content-negotiation.html
@@ -196,10 +196,9 @@ The full list of headers recognized is:
        for compress'd files, and <CODE>x-gzip</CODE> for gzip'd files.
        The <CODE>x-</CODE> prefix is ignored for encoding comparisons.
   <DT> <CODE>Content-Length:</CODE>
-  <DD> The size of the file.  Clients can ask to receive a given media
-       type only if the variant isn't too big; specifying a content
-       length in the map allows the server to compare against these
-       thresholds without checking the actual file.
+  <DD> The size of the file.  Specifying content
+       lengths in the type-map allows the server to compare file sizes
+       without checking the actual files.
   <DT> <CODE>Description:</CODE>
   <DD> A human-readable textual description of the variant.  If Apache cannot
        find any appropriate variant to return, it will return an error 

diff --git a/docs/manual/content-negotiation.html.en b/docs/manual/content-negotiation.html.en
index 11dd0dbb4bf8a73a8c849fa8d74291496b5b4729..7bfaee5afa9fd2d95f58e3517738dfebcac8deb2 100644 (file)
--- a/docs/manual/content-negotiation.html.en
+++ b/docs/manual/content-negotiation.html.en
@@ -196,10 +196,9 @@ The full list of headers recognized is:
        for compress'd files, and <CODE>x-gzip</CODE> for gzip'd files.
        The <CODE>x-</CODE> prefix is ignored for encoding comparisons.
   <DT> <CODE>Content-Length:</CODE>
-  <DD> The size of the file.  Clients can ask to receive a given media
-       type only if the variant isn't too big; specifying a content
-       length in the map allows the server to compare against these
-       thresholds without checking the actual file.
+  <DD> The size of the file.  Specifying content
+       lengths in the type-map allows the server to compare file sizes
+       without checking the actual files.
   <DT> <CODE>Description:</CODE>
   <DD> A human-readable textual description of the variant.  If Apache cannot
        find any appropriate variant to return, it will return an error