[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Grave apache dos possible through byterange requests

On 26/08/11 11:17, Christian Hammers wrote:
> Hallo
> Word is spreading that "Request-Range:" seems to be a synonym to "Range:" and
> is similar vulnerable but not covered by the config snippets that were
> proposed yesterday. So Gentlemen, patch again! :-(

Just modified the suggest solution[1] adding an [OR] (and nocase) for
also matching for request-range

RewriteEngine on
RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$) [NC,OR]
RewriteCond %{HTTP:request-range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$) [NC]
RewriteRule .* - [F]

[1] https://lwn.net/Articles/456268/

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: