I'm seeing Apache 2.0 doesn't accept our RequestHeader syntax due to a
defect, it misinterprets it as a value and fails startup.
If we have the opportunity to amend, I think we need to suggest the
rewrite flavor for Apache 2.0 and earlier, not just 1.3 and earlier.
Also for 1.3, is our RE safe for non-PCRE? And should we reconsider
the "5" for something more liberal?
> Option 1: (Apache 2.0 and 2.2)
>
> # drop Range header when more than 5 ranges.
> # CVE-2011-3192
> SetEnvIf Range (,.*?){5,} bad-range=1
> RequestHeader unset Range env=bad-range
>
> # optional logging.
> CustomLog logs/range-CVE-2011-3192.log common env=bad-range
>
> Option 2: (Also for Apache 1.3)
>
> # Reject request when more than 5 ranges in the Range: header.
> # CVE-2011-3192
> #
> RewriteEngine on
> RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
> RewriteRule .* - [F]
