On 26/08/11 11:17, Christian Hammers wrote:
> Hallo
>
> Word is spreading that "Request-Range:" seems to be a synonym to "Range:" and
> is similar vulnerable but not covered by the config snippets that were
> proposed yesterday. So Gentlemen, patch again! :-(
>
Confirmed!.
Just modified the suggest solution[1] adding an [OR] (and nocase) for
also matching for request-range
RewriteEngine on
RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$) [NC,OR]
RewriteCond %{HTTP:request-range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$) [NC]
RewriteRule .* - [F]
[1] https://lwn.net/Articles/456268/
Attachment:
signature.asc
Description: OpenPGP digital signature