httpoxy workarounds, first draft patch as published for all 2.2.x+ sources
Submitted by: Dominic Scheirlinck <dominic vendhq.com>, ylavic
Reviewed by: wrowe, rpluem, ylavic
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@
1756564 13f79535-47bb-0310-9956-
ffa450edef68
-*- coding: utf-8 -*-
Changes with Apache 2.2.32
+ *) core: CVE-2016-5387: Mitigate [f]cgi "httpoxy" issues.
+ [Dominic Scheirlinck <dominic vendhq.com>, Yann Ylavic]
+
*) mod_ssl: Fix a possible memory leak on restart for custom [EC]DH params.
[Jan Kaluza, Yann Ylavic]
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- *) core: CVE-2016-5387: Mitigate [f]cgi "httpoxy" issues
- Trunk version of patch:
- http://svn.apache.org/viewvc?rev=1753228&view=rev
- Backport version for 2.4.x of patch:
- Trunk version of patch works (modulo CHANGES)
- +1: wrowe, rpluem, ylavic
-
*) mod_mem_cache: Don't cache incomplete responses when the client aborts
the connection, unless they are complete. PR 45049.
Not applicable to trunk, mod_mem_cache doesn't exist there.
#
DefaultType text/plain
+<IfModule headers_module>
+ #
+ # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
+ # backend servers which have lingering "httpoxy" defects.
+ # 'Proxy' request header is undefined by the IETF, not listed by IANA
+ #
+ RequestHeader unset Proxy early
+</IfModule>
+
<IfModule mime_module>
#
# TypesConfig points to the file containing the list of mappings from
else if (!strcasecmp(hdrs[i].key, "Content-length")) {
apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
}
+ /* HTTP_PROXY collides with a popular envvar used to configure
+ * proxies, don't let clients set/override it. But, if you must...
+ */
+#ifndef SECURITY_HOLE_PASS_PROXY
+ else if (!strcasecmp(hdrs[i].key, "Proxy")) {
+ ;
+ }
+#endif
/*
* You really don't want to disable this check, since it leaves you
* wide open to CGIs stealing passwords and people viewing them
projects / thirdparty / apache / httpd.git / commitdiff
