On 26/08/11 11:17, Christian Hammers wrote: > Hallo > > Word is spreading that "Request-Range:" seems to be a synonym to "Range:" and > is similar vulnerable but not covered by the config snippets that were > proposed yesterday. So Gentlemen, patch again! :-( > Confirmed!.
Just modified the suggest solution[1] adding an [OR] (and nocase) for
also matching for request-range
RewriteEngine on
RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$) [NC,OR]
RewriteCond %{HTTP:request-range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$) [NC]
RewriteRule .* - [F]
[1] https://lwn.net/Articles/456268/
signature.asc
Description: OpenPGP digital signature
