* Folks - do we also need to add Request-Range ?
* Updated with Rudigers comments., Eric, Florians
* Consensus that the deflate stuff needs to go out reflected.
* More Comments please. Esp. on the quality and realisticness of the
mitigtions.
* Is this the right
* Is this the right list (and order) of the mitigations - or should
ReWrite be first ?
FWIW I don't like rewrite first because it's so unruly with being
defined once per vhost + main server + RewriteEngine on.
I like RequestHeader simplicity, and could be combined with SetEnvIf
to only
On Wed, Aug 24, 2011 at 9:17 AM, Eric Covener cove...@gmail.com wrote:
* Is this the right list (and order) of the mitigations - or should
ReWrite be first ?
FWIW I don't like rewrite first because it's so unruly with being
defined once per vhost + main server + RewriteEngine on.
I
On Wed, Aug 24, 2011 at 9:29 AM, Eric Covener cove...@gmail.com wrote:
On Wed, Aug 24, 2011 at 9:17 AM, Eric Covener cove...@gmail.com wrote:
* Is this the right list (and order) of the mitigations - or should
ReWrite be first ?
FWIW I don't like rewrite first because it's so unruly
. August 2011 15:08
To: Dirk-Willem van Gulik
Cc: dev@httpd.apache.org; secur...@httpd.apache.org
Subject: Re: CVE-2011-3192: Range header DoS vulnerability in
Apache 1.3 and Apache 2 (DRAFT-3)
* Folks - do we also need to add Request-Range ?
* Updated with Rudigers comments
-Original Message-
From: Eric Covener [mailto:cove...@gmail.com]
Sent: Mittwoch, 24. August 2011 15:29
To: dev@httpd.apache.org
Subject: Re: CVE-2011-3192: Range header DoS vulnerability in
Apache 1.3 and Apache 2 (DRAFT-3)
On Wed, Aug 24, 2011 at 9:17 AM, Eric Covener
cove
+1
On Aug 24, 2011, at 10:29 AM, Plüm, Rüdiger, VF-Group wrote:
-Original Message-
From: Eric Covener [mailto:cove...@gmail.com]
Sent: Mittwoch, 24. August 2011 15:29
To: dev@httpd.apache.org
Subject: Re: CVE-2011-3192: Range header DoS vulnerability in
Apache 1.3 and Apache
On Wed, 24 Aug 2011 09:30:34 -0400
Eric Covener cove...@gmail.com wrote:
Or more like Ruedigers:
SetEnvIf Range (,[^,]*){5,} bad-range=1
Or just
Untaint HTTP_RANGE (,[^,]*){5,}
Is it time to re-suggest dropping mod_taint into trunk?
--
Nick Kew