You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Yehezkel Horowitz <ho...@checkpoint.com> on 2011/09/01 15:58:07 UTC
RequestHeader early with CVE-2011-3192
Hello
In case I don't want to support "Range" and "Request-Range" headers at all, would it be safe to remove those headers in the early processing hook?
Something like:
RequestHeader unset Range early
RequestHeader unset Range-Request early
I'm asking because the documentation of mod_headers recommends not using the early mode in an operational server.
Thanks
Yehezkel Horowitz
Check Point Software Technologies Ltd.
Re: RequestHeader early with CVE-2011-3192
Posted by Nick Kew <ni...@webthing.com>.
On Thu, 1 Sep 2011 16:58:07 +0300
Yehezkel Horowitz <ho...@checkpoint.com> wrote:
> Hello
>
> In case I don't want to support "Range" and "Request-Range" headers at all, would it be safe to remove those headers in the early processing hook?
>
> Something like:
> RequestHeader unset Range early
> RequestHeader unset Range-Request early
>
> I'm asking because the documentation of mod_headers recommends not using the early mode in an operational server.
This would be on-topic for the users list rather than here.
The reason for that recommendation is that when used 'early' it will
have side-effects, like ignoring the context it's supposed to be
configured for.
If you want the unset to apply server-wide, then early should be fine.
--
Nick Kew