httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Ames <ames.g...@gmail.com>
Subject Re: VOTES please -- CVE-2011-3192: Range header DoS vulnerability in Apache 1.3 and Apache 2 (Final-6)
Date Wed, 24 Aug 2011 15:23:29 GMT
On Wed, Aug 24, 2011 at 10:56 AM, Dirk-Willem van Gulik <
dirkx@webweaving.org> wrote:

+1 with Eric's edits. specifically,

>
> 1) Use mod_rewrite to limit the number of ranges:
>

Option 1 doesn't use mod_rewrite.

  Option 1:
>          # drop Range header when more than 5 ranges.
>          # CVE-2011-3192
>          SetEnvIf Range (,.*?){5,} bad-range=1
>          RequestHeader unset Range env=bad-range
>
>          # optional logging.
>          CustomLog logs/range-CVE-2011-3192.log common env=bad-range
>

Greg

Mime
View raw message