From: Yann Ylavic <ylavic@apache.org>
Date: Tue, 16 Aug 2016 23:32:35 +0000 (+0000)
Subject: Merge r1753228 from trunk:
X-Git-Tag: 2.2.32~103
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b4dc46030c57751ab9a46202aa08254424d2c48a;p=thirdparty%2Fapache%2Fhttpd.git

Merge r1753228 from trunk:

httpoxy workarounds, first draft patch as published for all 2.2.x+ sources

Submitted by: Dominic Scheirlinck <dominic vendhq.com>, ylavic
Reviewed by: wrowe, rpluem, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1756564 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index a26e0895e26..cd1f8f60bb8 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.2.32
 
+  *) core: CVE-2016-5387: Mitigate [f]cgi "httpoxy" issues.
+     [Dominic Scheirlinck <dominic vendhq.com>, Yann Ylavic]
+
   *) mod_ssl: Fix a possible memory leak on restart for custom [EC]DH params.
      [Jan Kaluza, Yann Ylavic]
 
diff --git a/STATUS b/STATUS
index 0dc3b221ca0..0b073901569 100644
--- a/STATUS
+++ b/STATUS
@@ -103,13 +103,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  *) core: CVE-2016-5387: Mitigate [f]cgi "httpoxy" issues
-      Trunk version of patch:
-         http://svn.apache.org/viewvc?rev=1753228&view=rev
-      Backport version for 2.4.x of patch:
-         Trunk version of patch works (modulo CHANGES)
-      +1: wrowe, rpluem, ylavic
-
   *) mod_mem_cache: Don't cache incomplete responses when the client aborts
                     the connection, unless they are complete.  PR 45049.
      Not applicable to trunk, mod_mem_cache doesn't exist there.
diff --git a/docs/conf/httpd.conf.in b/docs/conf/httpd.conf.in
index 5639a1ffac2..8b5efde27c3 100644
--- a/docs/conf/httpd.conf.in
+++ b/docs/conf/httpd.conf.in
@@ -284,6 +284,15 @@ LogLevel warn
 #
 DefaultType text/plain
 
+<IfModule headers_module>
+    #
+    # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
+    # backend servers which have lingering "httpoxy" defects.
+    # 'Proxy' request header is undefined by the IETF, not listed by IANA
+    #
+    RequestHeader unset Proxy early
+</IfModule>
+
 <IfModule mime_module>
     #
     # TypesConfig points to the file containing the list of mappings from
diff --git a/server/util_script.c b/server/util_script.c
index 925342c4940..90af7ca6ee8 100644
--- a/server/util_script.c
+++ b/server/util_script.c
@@ -165,6 +165,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r)
         else if (!strcasecmp(hdrs[i].key, "Content-length")) {
             apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
         }
+        /* HTTP_PROXY collides with a popular envvar used to configure
+         * proxies, don't let clients set/override it.  But, if you must...
+         */
+#ifndef SECURITY_HOLE_PASS_PROXY
+        else if (!strcasecmp(hdrs[i].key, "Proxy")) {
+            ;
+        }
+#endif
         /*
          * You really don't want to disable this check, since it leaves you
          * wide open to CGIs stealing passwords and people viewing them