httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <>
Subject Re: VOTES please -- CVE-2011-3192: Range header DoS vulnerability in Apache 1.3 and Apache 2 (Final-5)
Date Wed, 24 Aug 2011 14:53:01 GMT
> CustomLog logs/range.log "%r %{Range}i" env=bad-range

Actually I was only using that to show/debug the result of the
directives, did not occur that folks would also want to log these!

Of course that makes sense though.

Unfortunately we lose the range header in the log when we zap it, so
logging it is not really so useful in concert with the conditional.
so probably just wise to collect them under common logformat:

SetEnvIf Range (,[^,]*){5,} bad-range=1
RequestHeader unset Range env=bad-range
CustomLog logs/range.log common env=bad-range

Eric Covener

View raw message