My criticism has to do with your implementation.
There's no point in fixing exploitable code with
a differently exploitable implementation.  Just
buffer things in an internal array and merge the
string once at the end of the loop, and *not* as
you iterate over the elements of the range header.

From: Jim Jagielski <>
Sent: Thursday, August 25, 2011 5:10 PM
Subject: Re: svn commit: r1161661 - /httpd/httpd/trunk/modules/http/byterange_filter.c

On Aug 25, 2011, at 5:02 PM, Joe Schaefer wrote:

> +1, also has the advantage of not being a quadratic
> allocator the way Jim's usage of apr_pstrcat is.

So what, exactly, will ap_set_byterange() do…? It was
my impression that it created our r->range entry...