Below comments make sense to me.
We should pick this up.
Regards
Rüdiger
> -----Original Message-----
> From: Dirk-Willem van Gulik
> Sent: Freitag, 26. August 2011 13:35
> To: dev@httpd.apache.org
> Subject: Advisory improvement
>
> From the Full Disclosure list. Does anyone have time to
> confirm this improvement.
>
> On 26 Aug 2011, at 12:09, Carlos Alberto Lopez Perez wrote:
> > RewriteEngine on
> > RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$) [NC,OR]
> > RewriteCond %{HTTP:request-range}
> !(^bytes=[^,]+(,[^,]+){0,4}$|^$) [NC]
> > RewriteRule .* - [F]
> >
> > Because if you don't specify the [OR] apache will combine the rules
> > making an AND (and you don't want this!).
> >
> > Also use NC=(nocase) to prevent the attacker upper casing "bytes="
> > (don't know if it will work.. but just to prevent)
>
> Pretty Please !
>
> Thanks,
>
> Dw.
>
>
>
