Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B86278201 for ; Wed, 24 Aug 2011 19:40:51 +0000 (UTC) Received: (qmail 49734 invoked by uid 500); 24 Aug 2011 19:40:50 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 49451 invoked by uid 500); 24 Aug 2011 19:40:49 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 49442 invoked by uid 99); 24 Aug 2011 19:40:49 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 24 Aug 2011 19:40:49 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of covener@gmail.com designates 209.85.218.45 as permitted sender) Received: from [209.85.218.45] (HELO mail-yi0-f45.google.com) (209.85.218.45) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 24 Aug 2011 19:40:43 +0000 Received: by yih10 with SMTP id 10so1336137yih.18 for ; Wed, 24 Aug 2011 12:40:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=NrGpgx9ktJCLxlZwLYFSauTXOgGQQKq/ZYeFLwQ9IKk=; b=YL/ylSgCozemCVMkoPOSpGH1YbzkL80XQxe8NW12wTUlROYlWjlPNGA4zvfiRVst9V FoS0CYJ95Ri9T9T1GqlqGQdAa55VYS0qqrXKA25hKQu3AmeqCheJ5Bps8112MNTrrvbJ PtnicJpwEGcQzamWAbOkiESubw04BOcTvEVJQ= MIME-Version: 1.0 Received: by 10.142.214.12 with SMTP id m12mr3022268wfg.73.1314214821696; Wed, 24 Aug 2011 12:40:21 -0700 (PDT) Received: by 10.143.5.4 with HTTP; Wed, 24 Aug 2011 12:40:21 -0700 (PDT) In-Reply-To: <7C3A95E6-D1B6-4E5A-9B52-922CD27C8370@webweaving.org> References: <7C3A95E6-D1B6-4E5A-9B52-922CD27C8370@webweaving.org> Date: Wed, 24 Aug 2011 15:40:21 -0400 Message-ID: Subject: Re: Final draft / CVE-2011-3192 From: Eric Covener To: dev@httpd.apache.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable I'm seeing Apache 2.0 doesn't accept our RequestHeader syntax due to a defect, it misinterprets it as a value and fails startup. If we have the opportunity to amend, I think we need to suggest the rewrite flavor for Apache 2.0 and earlier, not just 1.3 and earlier. Also for 1.3, is our RE safe for non-PCRE? And should we reconsider the "5" for something more liberal? > =A0 Option 1: (Apache 2.0 and 2.2) > > =A0 =A0 =A0 =A0 =A0# drop Range header when more than 5 ranges. > =A0 =A0 =A0 =A0 =A0# CVE-2011-3192 > =A0 =A0 =A0 =A0 =A0SetEnvIf Range (,.*?){5,} bad-range=3D1 > =A0 =A0 =A0 =A0 =A0RequestHeader unset Range env=3Dbad-range > > =A0 =A0 =A0 =A0 =A0# optional logging. > =A0 =A0 =A0 =A0 =A0CustomLog logs/range-CVE-2011-3192.log common env=3Dba= d-range > > =A0 Option 2: (Also for Apache 1.3) > > =A0 =A0 =A0 =A0 =A0# Reject request when more than 5 ranges in the Range:= header. > =A0 =A0 =A0 =A0 =A0# CVE-2011-3192 > =A0 =A0 =A0 =A0 =A0# > =A0 =A0 =A0 =A0 =A0RewriteEngine on > =A0 =A0 =A0 =A0 =A0RewriteCond %{HTTP:range} !(^bytes=3D[^,]+(,[^,]+){0,4= }$|^$) > =A0 =A0 =A0 =A0 =A0RewriteRule .* - [F]