--- /home/ivanr/tmp/modsecurity-apache_1.9.4/apache1/mod_security.c	2006-05-15 09:29:33.000000000 +0100
+++ mod_security.c	2007-03-11 16:25:27.653394016 +0000
@@ -79,7 +79,7 @@
 #define SMALL_BUF_SIZE 255
 
 #define MODULE_NAME "ModSecurity"
-#define MODULE_RELEASE "1.9.4"
+#define MODULE_RELEASE "1.9.5-rc1"
 #define MODULE_NAME_FULL (MODULE_NAME " v" MODULE_RELEASE " (Apache 1.3.x)")
 
 #define UNICODE_ERROR_CHARACTERS_MISSING    -1
@@ -3452,6 +3452,20 @@
             && (strncasecmp(content_type, "application/x-www-form-urlencoded", 33) == 0)
             && (msr->r->method_number == M_POST))
         {
+            int j;
+
+            /* Check that the byte range is OK. */
+
+            sec_debug_log(r, 3, "Checking byte range in POST payload");
+
+            for (j = 0; j < msr->ctx_in->length; j++) {
+                int c = ((unsigned char *)msr->ctx_in->buffer)[j];
+                if ((c < msr->dcfg->range_start) || (c > msr->dcfg->range_end)) {
+                    msr->tmp_message = ap_psprintf(r->pool, "Invalid character detected in POST payload [%i]", c);
+                    return perform_action(msr, msr->dcfg->actionset, NULL);
+                }
+            }
+
             /* parse variables before normalising the bufffer */
             sec_debug_log(r, 3, "Parsing variables from POST payload");
             if (parse_arguments(msr->_post_payload, msr->parsed_args, r, msr->dcfg, &my_error_msg) < 0) {