> -----Original Message----- > From: Eric Covener [mailto:cove...@gmail.com] > Sent: Mittwoch, 24. August 2011 15:29 > To: dev@httpd.apache.org > Subject: Re: CVE-2011-3192: Range header DoS vulnerability in > Apache 1.3 and Apache 2 (DRAFT-3) > > On Wed, Aug 24, 2011 at 9:17 AM, Eric Covener > <cove...@gmail.com> wrote: > >> * Is this the right list (and order) of the > mitigations - or should ReWrite be first ? > > FWIW I don't like rewrite first because it's so unruly with being > > defined once per vhost + main server + RewriteEngine on. > > > > I like RequestHeader simplicity, and could be combined with SetEnvIf > > to only zap long malicious looking headers. > > > e.g. > > SetEnvIf Range (,.*?){5,} bad-range=1 > RequestHeader unset Range env=bad-range
Nice one as well. Might be even better then the rewrite rule. Regards Rüdiger
