I've been trying to apply the suggested fix to apache for CVE-2011-3192 which was to add to httpd.conf
# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range
However, in Apache 2.0.59, configtest says
Syntax error on line ....
header unset takes two arguments
We still require the use of the range header so to unset the whole range portion is not really an option. Any thoughts on getting this to work?
Best Answer
Bad news! mod_headers in 2.0.59 doesn't seem to play nice with environment variables in its validation code.
It parses like this:
RequestHeader {action} {inhdr} {value} {envclause}
For
unset
, 2.0.59 validates like this, scrapping a directive if it has a third argument (value
) after the directive name:So,
RequestHeader unset Range
works, andRequestHeader unset Range bytes=0-1000
breaks as intended.. butRequestHeader unset Range env=bad-range
also breaks.Someone figured that out somewhere along the line, and current versions do this, instead - putting the arguments where they belong:
So, it's still parsing the
envclause
into thevalue
position, but since unset doesn't take a value, it rearranges accordingly. So, now,RequestHeader unset Range env=bad-range
works, butRequestHeader unset Range bytes=0-1000 env=bad-range
still throws a validation error.. andRequestHeader unset Range bytes=0-1000
probably just blows up at runtime.To fix, there's no shortage of bad options - patching then recompiling mod_headers to work correctly is one option, or just flat-out upgrading Apache. But, it might be worth a shot to empty the header with
set
(no validation bugs), instead of usingunset
:On the Apache 2.2 I checked on, junk data in the "Range" field will simply be ignored; in essence, an effective unset.