From the Full Disclosure list. Does anyone have time to confirm this
improvement.
On 26 Aug 2011, at 12:09, Carlos Alberto Lopez Perez wrote:
> RewriteEngine on
> RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$) [NC,OR]
> RewriteCond %{HTTP:request-range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$) [NC]
> RewriteRule .* - [F]
>
> Because if you don't specify the [OR] apache will combine the rules
> making an AND (and you don't want this!).
>
> Also use NC=(nocase) to prevent the attacker upper casing "bytes="
> (don't know if it will work.. but just to prevent)
Pretty Please !
Thanks,
Dw.
