Advisory improvement

[Dirk-Willem van Gulik <di...@webweaving.org>]

From the Full Disclosure list. Does anyone have time to confirm this improvement.

On 26 Aug 2011, at 12:09, Carlos Alberto Lopez Perez wrote:
> RewriteEngine on
> RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$) [NC,OR]
> RewriteCond %{HTTP:request-range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$) [NC]
> RewriteRule .* - [F]
> 
> Because if you don't specify the [OR] apache will combine the rules
> making an AND (and you don't want this!).
> 
> Also use NC=(nocase) to prevent the attacker upper casing "bytes="
> (don't know if it will work.. but just to prevent)

Pretty Please !

Thanks,

Dw.

RE: Advisory improvement

["Plüm, Rüdiger, VF-Group" <ru...@vodafone.com>]

Below comments make sense to me.
We should pick this up.

Regards

Rüdiger 

> -----Original Message-----
> From: Dirk-Willem van Gulik 
> Sent: Freitag, 26. August 2011 13:35
> To: dev@httpd.apache.org
> Subject: Advisory improvement
> 
> From the Full Disclosure list. Does anyone have time to 
> confirm this improvement.
> 
> On 26 Aug 2011, at 12:09, Carlos Alberto Lopez Perez wrote:
> > RewriteEngine on
> > RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$) [NC,OR]
> > RewriteCond %{HTTP:request-range} 
> !(^bytes=[^,]+(,[^,]+){0,4}$|^$) [NC]
> > RewriteRule .* - [F]
> > 
> > Because if you don't specify the [OR] apache will combine the rules
> > making an AND (and you don't want this!).
> > 
> > Also use NC=(nocase) to prevent the attacker upper casing "bytes="
> > (don't know if it will work.. but just to prevent)
> 
> Pretty Please !
> 
> Thanks,
> 
> Dw.
> 
> 
>