httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Plüm, Rüdiger, VF-Group" <ruediger.pl...@vodafone.com>
Subject RE: CVE-2011-3192: Range header DoS vulnerability in Apache 1.3 and Apache 2 (DRAFT-3)
Date Wed, 24 Aug 2011 14:29:01 GMT
 

> -----Original Message-----
> From: Eric Covener [mailto:covener@gmail.com] 
> Sent: Mittwoch, 24. August 2011 15:29
> To: dev@httpd.apache.org
> Subject: Re: CVE-2011-3192: Range header DoS vulnerability in 
> Apache 1.3 and Apache 2 (DRAFT-3)
> 
> On Wed, Aug 24, 2011 at 9:17 AM, Eric Covener 
> <covener@gmail.com> wrote:
> >> *       Is this the right list (and order) of the 
> mitigations - or should ReWrite be first ?
> > FWIW I don't like rewrite first because it's so unruly with being
> > defined once per vhost + main server + RewriteEngine on.
> >
> > I like RequestHeader simplicity, and could be combined with SetEnvIf
> > to only zap long malicious looking headers.
> >
> e.g.
> 
> SetEnvIf Range (,.*?){5,} bad-range=1
> RequestHeader unset Range env=bad-range

Nice one as well. Might be even better then the rewrite rule.

Regards

Rüdiger

Mime
View raw message