httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <di...@webweaving.org>
Subject Advisory improvement
Date Fri, 26 Aug 2011 11:34:48 GMT
From the Full Disclosure list. Does anyone have time to confirm this improvement.

On 26 Aug 2011, at 12:09, Carlos Alberto Lopez Perez wrote:
> RewriteEngine on
> RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$) [NC,OR]
> RewriteCond %{HTTP:request-range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$) [NC]
> RewriteRule .* - [F]
> 
> Because if you don't specify the [OR] apache will combine the rules
> making an AND (and you don't want this!).
> 
> Also use NC=(nocase) to prevent the attacker upper casing "bytes="
> (don't know if it will work.. but just to prevent)

Pretty Please !

Thanks,

Dw.



Mime
View raw message