You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Eric Covener <co...@gmail.com> on 2011/08/24 21:40:21 UTC

Re: Final draft / CVE-2011-3192

I'm seeing Apache 2.0 doesn't accept our RequestHeader syntax due to a
defect, it misinterprets it as a value and fails startup.

If we have the opportunity to amend, I think we need to suggest the
rewrite flavor for Apache 2.0 and earlier, not just 1.3 and earlier.

Also for 1.3, is our RE safe for non-PCRE? And should we reconsider
the "5" for something more liberal?

>   Option 1: (Apache 2.0 and 2.2)
>
>          # drop Range header when more than 5 ranges.
>          # CVE-2011-3192
>          SetEnvIf Range (,.*?){5,} bad-range=1
>          RequestHeader unset Range env=bad-range
>
>          # optional logging.
>          CustomLog logs/range-CVE-2011-3192.log common env=bad-range
>
>   Option 2: (Also for Apache 1.3)
>
>          # Reject request when more than 5 ranges in the Range: header.
>          # CVE-2011-3192
>          #
>          RewriteEngine on
>          RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
>          RewriteRule .* - [F]

Re: Final draft / CVE-2011-3192

Posted by Dirk-WIllem van Gulik <di...@webweaving.org>.

That is fine - we can do another update tomorrow, say noon zulu - if we expect that we do not have a proper patch and/or a 2.0.65 / 2.2.20 in the day following.

Weird though - my 2.0.61 and 64 does seem fine. So probably very early 2.0 series.

Dw

On 24 Aug 2011, at 20:40, Eric Covener wrote:

> I'm seeing Apache 2.0 doesn't accept our RequestHeader syntax due to a
> defect, it misinterprets it as a value and fails startup.
> 
> If we have the opportunity to amend, I think we need to suggest the
> rewrite flavor for Apache 2.0 and earlier, not just 1.3 and earlier.
> 
> Also for 1.3, is our RE safe for non-PCRE? And should we reconsider
> the "5" for something more liberal?
> 
>>   Option 1: (Apache 2.0 and 2.2)
>> 
>>          # drop Range header when more than 5 ranges.
>>          # CVE-2011-3192
>>          SetEnvIf Range (,.*?){5,} bad-range=1
>>          RequestHeader unset Range env=bad-range
>> 
>>          # optional logging.
>>          CustomLog logs/range-CVE-2011-3192.log common env=bad-range
>> 
>>   Option 2: (Also for Apache 1.3)
>> 
>>          # Reject request when more than 5 ranges in the Range: header.
>>          # CVE-2011-3192
>>          #
>>          RewriteEngine on
>>          RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
>>          RewriteRule .* - [F]
>