Re: Grave apache dos possible through byterange requests

To: linbloke <linbloke@fastmail.fm>
Cc: Carlos Alberto Lopez Perez <clopez@igalia.com>, debian-security@lists.debian.org
Subject: Re: Grave apache dos possible through byterange requests
From: Dirk-Willem van Gulik <dirkx@webweaving.org>
Date: Fri, 26 Aug 2011 14:06:04 +0200
Message-id: <[🔎] 1567DE1A-B6B5-4FB2-AE56-73C760793B63@webweaving.org>
In-reply-to: <[🔎] 4E5781F4.1030903@fastmail.fm>
References: <[🔎] 20110826111700.64bfc0f0@sys-251.netcologne.de> <[🔎] 4E577AF0.8080300@igalia.com> <[🔎] 4E5781F4.1030903@fastmail.fm>

On 26 aug. 2011, at 13:22, linbloke wrote:

> I'm curious as to why you suggest option 2 over option 1 from the Apache advisory? My guess is that it is compatible with version 1.3 and 2.x and that is has stronger enforcement of the syntax (by requiring ^bytes=) rather than just 5 comma separated fields. 
...
> RequestHeader unset Range env=bad-range

Correct; env=bad-range is not functional until midway the 2.x (2.2) series.

> I don't want to touch every virtualhost config and Rewrite rules scare me too.

A rewrite rule requires more care - as it may get negated deeper down. RequestHeader and SetEnvIf are more robust.

Dw.

Reply to:

References:
- Re: Grave apache dos possible through byterange requests
  - From: Christian Hammers <ch@debian.org>
- Re: Grave apache dos possible through byterange requests
  - From: Carlos Alberto Lopez Perez <clopez@igalia.com>
- Re: Grave apache dos possible through byterange requests
  - From: linbloke <linbloke@fastmail.fm>

Prev by Date: Re: Grave apache dos possible through byterange requests
Next by Date: Re: Grave apache dos possible through byterange requests
Previous by thread: Re: Grave apache dos possible through byterange requests
Next by thread: Re: Grave apache dos possible through byterange requests
Index(es):
- Date
- Thread