httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <n...@webthing.com>
Subject Re: RequestHeader early with CVE-2011-3192
Date Thu, 01 Sep 2011 14:35:36 GMT
On Thu, 1 Sep 2011 16:58:07 +0300
Yehezkel Horowitz <horowity@checkpoint.com> wrote:

> Hello
> 
> In case I don't want to support "Range" and "Request-Range" headers at all, would it
be safe to remove those headers in the early processing hook?
> 
> Something like:
> RequestHeader unset Range early
> RequestHeader unset Range-Request early
> 
> I'm asking because the documentation of mod_headers recommends not using the early mode
in an operational server.

This would be on-topic for the users list rather than here.

The reason for that recommendation is that when used 'early' it will
have side-effects, like ignoring the context it's supposed to be
configured for.

If you want the unset to apply server-wide, then early should be fine.


-- 
Nick Kew

Mime
View raw message