Return-Path: 
 <dev-return-72295-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
X-Original-To: apmail-httpd-dev-archive@www.apache.org
Delivered-To: apmail-httpd-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id DD4F087CF
	for <apmail-httpd-dev-archive@www.apache.org>;
 Wed, 24 Aug 2011 15:08:35 +0000 (UTC)
Received: (qmail 11071 invoked by uid 500); 24 Aug 2011 15:08:34 -0000
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 11013 invoked by uid 500); 24 Aug 2011 15:08:34 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
List-Post: <mailto:dev@httpd.apache.org>
List-Id: <dev.httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 11005 invoked by uid 99); 24 Aug 2011 15:08:33 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 24 Aug 2011 15:08:33 +0000
X-ASF-Spam-Status: No, hits=0.7 required=5.0
	tests=RCVD_IN_DNSWL_NONE,SPF_NEUTRAL
X-Spam-Check-By: apache.org
Received-SPF: neutral (nike.apache.org: 76.96.62.17 is neither permitted nor
 denied by domain of jim@jagunet.com)
Received: from [76.96.62.17] (HELO qmta10.westchester.pa.mail.comcast.net)
 (76.96.62.17)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 24 Aug 2011 15:08:23 +0000
Received: from omta17.westchester.pa.mail.comcast.net ([76.96.62.89])
	by qmta10.westchester.pa.mail.comcast.net with comcast
	id QEvg1h0041vXlb85AF83qo; Wed, 24 Aug 2011 15:08:03 +0000
Received: from [192.168.199.10] ([98.211.98.209])
	by omta17.westchester.pa.mail.comcast.net with comcast
	id QF821h0034X3Vfm3dF82RV; Wed, 24 Aug 2011 15:08:03 +0000
Content-Type: text/plain; charset=iso-8859-1
Mime-Version: 1.0 (Apple Message framework v1244.3)
Subject: Re: CVE-2011-3192: Range header DoS vulnerability in Apache 1.3 and
 Apache 2 (DRAFT-3)
From: Jim Jagielski <jim@jaguNET.com>
In-Reply-To: 
 <E563FB5AB3F02844AC749BA39E494AB4052FBF23@VF-MBX11.internal.vodafone.com>
Date: Wed, 24 Aug 2011 11:08:00 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <01AC8502-7F4C-495F-88AF-F626DC6E44A0@jaguNET.com>
References: 
 <BA466680-B2C9-4F53-ABB9-0CD61BBF6CD9@bbc.co.uk><5E9A092C-A449-4318-8A31-FA0481EB04B7@webweaving.org><FD9014C7-7258-4879-AEF8-86F156E6FCFA@webweaving.org><CALK=YjP2_-vkfO4WOvS9JdHN0m7aVgR57895SL9qiFG76kL1yw@mail.gmail.com>
 <CALK=YjPk4N9U=zsM5m8fw4JmKjggvekxjCOo_hmzZV-gKuGJhg@mail.gmail.com>
 <E563FB5AB3F02844AC749BA39E494AB4052FBF23@VF-MBX11.internal.vodafone.com>
To: dev@httpd.apache.org
X-Mailer: Apple Mail (2.1244.3)
X-Virus-Checked: Checked by ClamAV on apache.org

+1

On Aug 24, 2011, at 10:29 AM, Pl=FCm, R=FCdiger, VF-Group wrote:

>=20
>=20
>> -----Original Message-----
>> From: Eric Covener [mailto:covener@gmail.com]=20
>> Sent: Mittwoch, 24. August 2011 15:29
>> To: dev@httpd.apache.org
>> Subject: Re: CVE-2011-3192: Range header DoS vulnerability in=20
>> Apache 1.3 and Apache 2 (DRAFT-3)
>>=20
>> On Wed, Aug 24, 2011 at 9:17 AM, Eric Covener=20
>> <covener@gmail.com> wrote:
>>>> *       Is this the right list (and order) of the=20
>> mitigations - or should ReWrite be first ?
>>> FWIW I don't like rewrite first because it's so unruly with being
>>> defined once per vhost + main server + RewriteEngine on.
>>>=20
>>> I like RequestHeader simplicity, and could be combined with SetEnvIf
>>> to only zap long malicious looking headers.
>>>=20
>> e.g.
>>=20
>> SetEnvIf Range (,.*?){5,} bad-range=3D1
>> RequestHeader unset Range env=3Dbad-range
>=20
> Nice one as well. Might be even better then the rewrite rule.
>=20
> Regards
>=20
> R=FCdiger
>=20