httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Plüm, Rüdiger, VF-Group" <ruediger.pl...@vodafone.com>
Subject RE: Advisory improvement
Date Fri, 26 Aug 2011 11:39:45 GMT
Below comments make sense to me.
We should pick this up.

Regards

Rüdiger 

> -----Original Message-----
> From: Dirk-Willem van Gulik 
> Sent: Freitag, 26. August 2011 13:35
> To: dev@httpd.apache.org
> Subject: Advisory improvement
> 
> From the Full Disclosure list. Does anyone have time to 
> confirm this improvement.
> 
> On 26 Aug 2011, at 12:09, Carlos Alberto Lopez Perez wrote:
> > RewriteEngine on
> > RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$) [NC,OR]
> > RewriteCond %{HTTP:request-range} 
> !(^bytes=[^,]+(,[^,]+){0,4}$|^$) [NC]
> > RewriteRule .* - [F]
> > 
> > Because if you don't specify the [OR] apache will combine the rules
> > making an AND (and you don't want this!).
> > 
> > Also use NC=(nocase) to prevent the attacker upper casing "bytes="
> > (don't know if it will work.. but just to prevent)
> 
> Pretty Please !
> 
> Thanks,
> 
> Dw.
> 
> 
> 

Mime
View raw message