Re: Grave apache dos possible through byterange requests
On 26 aug. 2011, at 13:22, linbloke wrote:
> I'm curious as to why you suggest option 2 over option 1 from the Apache advisory? My guess is that it is compatible with version 1.3 and 2.x and that is has stronger enforcement of the syntax (by requiring ^bytes=) rather than just 5 comma separated fields.
> RequestHeader unset Range env=bad-range
Correct; env=bad-range is not functional until midway the 2.x (2.2) series.
> I don't want to touch every virtualhost config and Rewrite rules scare me too.
A rewrite rule requires more care - as it may get negated deeper down. RequestHeader and SetEnvIf are more robust.