Alpha ZealPHP is early-stage and under active development. APIs may change between minor versions until v1.0. Feedback and bug reports welcome on GitHub.
Esc
API Index — Namespaces, Packages, Reports, Indices

RangeMiddleware
in package
implements MiddlewareInterface

HTTP Range Request Middleware (RFC 7233)

Handles Range: bytes=... headers, returning 206 Partial Content for satisfiable single and multi-range requests and 416 Range Not Satisfiable for out-of-bounds ranges.

Also adds Accept-Ranges: bytes to all eligible 200 responses.

Only applies to GET responses with a non-empty body. Streaming responses and non-200 upstream responses are passed through.

Security: enforces a maximum number of range specs per request to prevent the CVE-2011-3192 class of multi-range DoS amplification attacks. Default is 200, matching Apache's AP_DEFAULT_MAX_RANGES. When the spec count exceeds the cap the Range header is ignored and a full 200 response is returned — the same behaviour as Apache (not a 416).

RFC 7233 §2.1 conformance: if any single spec in a multi-range header is syntactically invalid, the ENTIRE Range header is ignored (full 200).

RFC 7233 §3.2 — If-Range HTTP-date: when the If-Range value does not begin with a double-quote it is treated as an HTTP-date and compared against the upstream Last-Modified header using Apache's one-minute clock-skew rule.

Usage in app.php: $app->addMiddleware(new \ZealPHP\Middleware\RangeMiddleware());

To raise or lower the per-request range cap:

$mw = new \ZealPHP\Middleware\RangeMiddleware();
$mw->maxRanges = 50;
$app->addMiddleware($mw);

Table of Contents

Interfaces

MiddlewareInterface

Properties

$maxRanges  : int
Maximum number of range specs accepted per request.

Methods

process()  : ResponseInterface
multiRange()  : ResponseInterface
setHeader()  : void
Queue a response header via the ZealPHP response wrapper (production path).
singleRange()  : ResponseInterface
unsatisfiable()  : ResponseInterface

Properties

$maxRanges

Maximum number of range specs accepted per request.

public int $maxRanges = 200

Matches Apache's AP_DEFAULT_MAX_RANGES (byterange_filter.c:59). When exceeded the Range header is ignored and a full 200 is returned.

Methods

process()

public process(ServerRequestInterface $request, RequestHandlerInterface $handler) : ResponseInterface
Parameters
$request : ServerRequestInterface
$handler : RequestHandlerInterface
Return values
ResponseInterface

multiRange()

private multiRange(array<int, array{0: int, 1: int}> $ranges, string $body, int $total, string $contentType, RequestContext $g) : ResponseInterface
Parameters
$ranges : array<int, array{0: int, 1: int}>
$body : string
$total : int
$contentType : string
$g : RequestContext
Return values
ResponseInterface

setHeader()

Queue a response header via the ZealPHP response wrapper (production path).

private setHeader(RequestContext $g, string $key, string $value) : void

Guards against null in unit-test contexts where zealphp_response is not set.

Parameters
$g : RequestContext
$key : string
$value : string

singleRange()

private singleRange(array{0: int, 1: int} $range, string $body, int $total, RequestContext $g) : ResponseInterface
Parameters
$range : array{0: int, 1: int}
$body : string
$total : int
$g : RequestContext
Return values
ResponseInterface
On this page