httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <di...@webweaving.org>
Subject Mitigation Range header (Was: DoS with mod_deflate & range requests)
Date Wed, 24 Aug 2011 11:33:12 GMT
Folks,

This issue is now active in the wild. So some unified/simple comms is needed. 

What is the wisdom on mitigation advise/briefing until a proper fix it out - in order of ease:

->	Where possible - disable mod_deflate
	
	=> we sure this covers all cases - or this is a good stopgap ?

->	Where possible - set LimitRequestFieldSize to a small value

	->	Suggesting of 128 fine ?

->	Where this is not possible (e.g. long cookies, auth headers of serious size) consider
using
	mod_rewrite to not accept more than a few commas

	=>	anyone a config snipped for this ?

->	Perhaps a stop gap module

	http://people.apache.org/~dirkx/mod_rangecnt.c (is this kosher??)

->	Apply patch XXX from the mailing list

Any thoughts ? Followed by a - upgrade as soon as a release is made

Thanks,

Dw
Mime
View raw message