Re: Grave apache dos possible through byterange requests
Carlos Alberto Lopez Perez wrote:
> The new advisory [1] recommends this:
>
> # Drop the Range header when more than 5 ranges.
> # CVE-2011-3192
> SetEnvIf Range (?:,.*?){5,5} bad-range=1
> RequestHeader unset Range env=bad-range
>
> # We always drop Request-Range; as this is a legacy
> # dating back to MSIE3 and Netscape 2 and 3.
> RequestHeader unset Request-Range
>
> # optional logging.
> CustomLog /var/log/apache2/range-CVE-2011-3192.log common env=bad-range
> CustomLog /var/log/apache2/range-CVE-2011-3192.log common env=bad-req-range
What's the use of the second CustomLog line?
'bad-req-range' is never set, is it?
- Thomas
Reply to: