You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Yehezkel Horowitz <ho...@checkpoint.com> on 2011/09/01 15:58:07 UTC

RequestHeader early with CVE-2011-3192

Hello

In case I don't want to support "Range" and "Request-Range" headers at all, would it be safe to remove those headers in the early processing hook?

Something like:
RequestHeader unset Range early
RequestHeader unset Range-Request early

I'm asking because the documentation of mod_headers recommends not using the early mode in an operational server.

Thanks

Yehezkel Horowitz
Check Point Software Technologies Ltd.

Re: RequestHeader early with CVE-2011-3192

Posted by Nick Kew <ni...@webthing.com>.

On Thu, 1 Sep 2011 16:58:07 +0300
Yehezkel Horowitz <ho...@checkpoint.com> wrote:

> Hello
> 
> In case I don't want to support "Range" and "Request-Range" headers at all, would it be safe to remove those headers in the early processing hook?
> 
> Something like:
> RequestHeader unset Range early
> RequestHeader unset Range-Request early
> 
> I'm asking because the documentation of mod_headers recommends not using the early mode in an operational server.

This would be on-topic for the users list rather than here.

The reason for that recommendation is that when used 'early' it will
have side-effects, like ignoring the context it's supposed to be
configured for.

If you want the unset to apply server-wide, then early should be fine.

-- 
Nick Kew