[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Grave apache dos possible through byterange requests

On 26 aug. 2011, at 13:22, linbloke wrote:

> I'm curious as to why you suggest option 2 over option 1 from the Apache advisory? My guess is that it is compatible with version 1.3 and 2.x and that is has stronger enforcement of the syntax (by requiring ^bytes=) rather than just 5 comma separated fields. 
> RequestHeader unset Range env=bad-range

Correct; env=bad-range is not functional until midway the 2.x (2.2) series.

> I don't want to touch every virtualhost config and Rewrite rules scare me too.

A rewrite rule requires more care - as it may get negated deeper down. RequestHeader and SetEnvIf are more robust.


Reply to: