From b709b72933e84b053c759fd8dbc43490c1b57abb Mon Sep 17 00:00:00 2001
From: dgaudet <dgaudet@unknown>
Date: Fri, 4 Jun 1999 17:15:48 +0000
Subject: [PATCH] This patch removes the processing of `mxb' parameters in
 Accept headers in mod_negotiation.  A second patch updates the manual to
 reflect this (mxb is not documented directly in the manual but support for it
 is implied in one place).

Reasons for removing this feature:

1) As currently implemented, the 'mxb' feature makes possible certain
denial-of-service attacks on negotiated content.  These attacks are
posssible for user communities which access an Apache server from
behind a HTTP/1.1 proxy which implements `Vary' related optimisations.
Plugging this denial of service hole without removing `mxb' is fairly
expensive in terms of degrading caching efficiency.

2) `mxb' is not in HTTP/1.0 or HTTP/1.1 or any other standard

3) Nobody seems to make use of 'mxb'.  (Balachander Krishnamurthy
kindly offered to grep some of his web traffic traces -- he did not
find a single Accept with mxb in a whole day of recent traffic, nor in
older traces)

4) Removing a feature makes a nice change from adding features.

Submitted by:	Koen Holtman <Koen.Holtman@cern.ch>


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@83288 13f79535-47bb-0310-9956-ffa450edef68
---
 docs/manual/content-negotiation.html    | 7 +++----
 docs/manual/content-negotiation.html.en | 7 +++----
 2 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/docs/manual/content-negotiation.html b/docs/manual/content-negotiation.html
index 11dd0dbb4bf..7bfaee5afa9 100644
--- a/docs/manual/content-negotiation.html
+++ b/docs/manual/content-negotiation.html
@@ -196,10 +196,9 @@ The full list of headers recognized is:
        for compress'd files, and <CODE>x-gzip</CODE> for gzip'd files.
        The <CODE>x-</CODE> prefix is ignored for encoding comparisons.
   <DT> <CODE>Content-Length:</CODE>
-  <DD> The size of the file.  Clients can ask to receive a given media
-       type only if the variant isn't too big; specifying a content
-       length in the map allows the server to compare against these
-       thresholds without checking the actual file.
+  <DD> The size of the file.  Specifying content
+       lengths in the type-map allows the server to compare file sizes
+       without checking the actual files.
   <DT> <CODE>Description:</CODE>
   <DD> A human-readable textual description of the variant.  If Apache cannot
        find any appropriate variant to return, it will return an error 
diff --git a/docs/manual/content-negotiation.html.en b/docs/manual/content-negotiation.html.en
index 11dd0dbb4bf..7bfaee5afa9 100644
--- a/docs/manual/content-negotiation.html.en
+++ b/docs/manual/content-negotiation.html.en
@@ -196,10 +196,9 @@ The full list of headers recognized is:
        for compress'd files, and <CODE>x-gzip</CODE> for gzip'd files.
        The <CODE>x-</CODE> prefix is ignored for encoding comparisons.
   <DT> <CODE>Content-Length:</CODE>
-  <DD> The size of the file.  Clients can ask to receive a given media
-       type only if the variant isn't too big; specifying a content
-       length in the map allows the server to compare against these
-       thresholds without checking the actual file.
+  <DD> The size of the file.  Specifying content
+       lengths in the type-map allows the server to compare file sizes
+       without checking the actual files.
   <DT> <CODE>Description:</CODE>
   <DD> A human-readable textual description of the variant.  If Apache cannot
        find any appropriate variant to return, it will return an error 
-- 
2.47.2