> But for content that is proxied via mod_proxy_http, the request > including the bad Range: header hits the backend server. So, if the > backend server is also an Apache, which is still vulnerable to > CVE-2011-3192, it would receive malicious Range headers unfiltered. > > Is this intended behavior? Couldn't we filter out bad ranges on proxy > request too?
This is intended. None of the fixes to the issue that have been discussed here drop the header itself, that's just the circumvention until the header could be safely processed.
