You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Dirk-Willem van Gulik <di...@webweaving.org> on 2011/08/26 13:34:48 UTC
Advisory improvement
From the Full Disclosure list. Does anyone have time to confirm this improvement.
On 26 Aug 2011, at 12:09, Carlos Alberto Lopez Perez wrote:
> RewriteEngine on
> RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$) [NC,OR]
> RewriteCond %{HTTP:request-range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$) [NC]
> RewriteRule .* - [F]
>
> Because if you don't specify the [OR] apache will combine the rules
> making an AND (and you don't want this!).
>
> Also use NC=(nocase) to prevent the attacker upper casing "bytes="
> (don't know if it will work.. but just to prevent)
Pretty Please !
Thanks,
Dw.
RE: Advisory improvement
Posted by "Plüm, Rüdiger, VF-Group" <ru...@vodafone.com>.
Below comments make sense to me.
We should pick this up.
Regards
Rüdiger
> -----Original Message-----
> From: Dirk-Willem van Gulik
> Sent: Freitag, 26. August 2011 13:35
> To: dev@httpd.apache.org
> Subject: Advisory improvement
>
> From the Full Disclosure list. Does anyone have time to
> confirm this improvement.
>
> On 26 Aug 2011, at 12:09, Carlos Alberto Lopez Perez wrote:
> > RewriteEngine on
> > RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$) [NC,OR]
> > RewriteCond %{HTTP:request-range}
> !(^bytes=[^,]+(,[^,]+){0,4}$|^$) [NC]
> > RewriteRule .* - [F]
> >
> > Because if you don't specify the [OR] apache will combine the rules
> > making an AND (and you don't want this!).
> >
> > Also use NC=(nocase) to prevent the attacker upper casing "bytes="
> > (don't know if it will work.. but just to prevent)
>
> Pretty Please !
>
> Thanks,
>
> Dw.
>
>
>