From: William A. Rowe Jr Date: Mon, 18 Jul 2016 14:07:00 +0000 (+0000) Subject: httpoxy workarounds, first draft patch as published for all 2.2.x+ sources X-Git-Tag: 2.5.0-alpha~1397 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=235ee2ff4097373c1ce72c17d375c0423fbd73e9;p=thirdparty%2Fapache%2Fhttpd.git httpoxy workarounds, first draft patch as published for all 2.2.x+ sources git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1753228 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/conf/httpd.conf.in b/docs/conf/httpd.conf.in index 2036685bfea..b793a79e00d 100644 --- a/docs/conf/httpd.conf.in +++ b/docs/conf/httpd.conf.in @@ -270,6 +270,15 @@ LogLevel warn Require all granted + + # + # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied + # backend servers which have lingering "httpoxy" defects. + # 'Proxy' request header is undefined by the IETF, not listed by IANA + # + RequestHeader unset Proxy early + + # # TypesConfig points to the file containing the list of mappings from diff --git a/server/util_script.c b/server/util_script.c index 5e071a2f840..3b047bcb1a5 100644 --- a/server/util_script.c +++ b/server/util_script.c @@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r) else if (!ap_cstr_casecmp(hdrs[i].key, "Content-length")) { apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val); } + /* HTTP_PROXY collides with a popular envvar used to configure + * proxies, don't let clients set/override it. But, if you must... + */ +#ifndef SECURITY_HOLE_PASS_PROXY + else if (!strcasecmp(hdrs[i].key, "Proxy")) { + ; + } +#endif /* * You really don't want to disable this check, since it leaves you * wide open to CGIs stealing passwords and people viewing them