+1 On Aug 24, 2011, at 10:29 AM, Plüm, Rüdiger, VF-Group wrote:
> > >> -----Original Message----- >> From: Eric Covener [mailto:cove...@gmail.com] >> Sent: Mittwoch, 24. August 2011 15:29 >> To: dev@httpd.apache.org >> Subject: Re: CVE-2011-3192: Range header DoS vulnerability in >> Apache 1.3 and Apache 2 (DRAFT-3) >> >> On Wed, Aug 24, 2011 at 9:17 AM, Eric Covener >> <cove...@gmail.com> wrote: >>>> * Is this the right list (and order) of the >> mitigations - or should ReWrite be first ? >>> FWIW I don't like rewrite first because it's so unruly with being >>> defined once per vhost + main server + RewriteEngine on. >>> >>> I like RequestHeader simplicity, and could be combined with SetEnvIf >>> to only zap long malicious looking headers. >>> >> e.g. >> >> SetEnvIf Range (,.*?){5,} bad-range=1 >> RequestHeader unset Range env=bad-range > > Nice one as well. Might be even better then the rewrite rule. > > Regards > > Rüdiger >