On Wed, Aug 24, 2011 at 12:42 PM, Jim Jagielski <[email protected]> wrote:
> > On Aug 24, 2011, at 12:22 PM, William A. Rowe Jr. wrote: > > > > > 0-, 40-50 becomes 0- > > > 0-499, 400-599 becomes 0-599 > > > 1000-1075, 200-250, 1051-1100 becomes 1000-1100, 200-250 > > This goes against Roy's recommendation to 416 overlaps… But > I do see that an overlap is specifically noted in an example > yeah. The very end of section 14.35.1 says an overlap is legal, so I'm confused. > > Until we are *clear* on what we should be doing, spec-wise, I > think it's unwise to make assumptions… > > From the above, I would be more comfortable with > > 0-, 40-50 ---> 0- > 0-499, 400-599 ---> 0-599 > 1000-1075, 1025-1088, 200-250, 1051-1100 --> 1000-1088, 200-250, > 1051-1100 > > that it, merge as we can, but never resort... how about: 1000-2000,100-200,3000-4000,200-300,1999-3001 ? If we don't return a 416 for that due to overlap, I think the merge should be; 1000-4000,100-300 If we only merge adjacent ascending ranges, then it seems like an attacker could just craft a header where the ranges jump around and dodge our fix. The other small point I wanted to make is that both ends of a range could overlap previously specified ranges. Greg
