From: Jacob Champion Date: Mon, 17 Oct 2016 20:15:35 +0000 (+0000) Subject: Merge r1765357 from trunk: X-Git-Tag: 2.4.24~194 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dc141941f52cf74a3dd39ccad93f649876f6f19e;p=thirdparty%2Fapache%2Fhttpd.git Merge r1765357 from trunk: docs: add "threat model" warning to ProxyHTMLMeta git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1765368 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/mod/mod_proxy_html.html.en b/docs/manual/mod/mod_proxy_html.html.en index 28bea40bfb7..e6d10550d14 100644 --- a/docs/manual/mod/mod_proxy_html.html.en +++ b/docs/manual/mod/mod_proxy_html.html.en @@ -338,6 +338,15 @@ module for earlier 2.x versions. them to real HTTP headers, in keeping with the original purpose of this form of the HTML <meta> element.

+

Warning

+ Because ProxyHTMLMeta promotes all + http-equiv elements to HTTP headers, it is important that you + only enable it in cases where you trust the HTML content as much as you + trust the upstream server. If the HTML is controlled by bad actors, it + will be possible for them to inject arbitrary, possibly malicious, HTTP + headers into your server's responses. +
+
top

ProxyHTMLStripComments Directive

diff --git a/docs/manual/mod/mod_proxy_html.xml b/docs/manual/mod/mod_proxy_html.xml index bc0ee6e49ea..c687d69da21 100644 --- a/docs/manual/mod/mod_proxy_html.xml +++ b/docs/manual/mod/mod_proxy_html.xml @@ -88,6 +88,15 @@ module for earlier 2.x versions. <meta http-equiv=...> declarations and convert them to real HTTP headers, in keeping with the original purpose of this form of the HTML <meta> element.

+ + Warning + Because ProxyHTMLMeta promotes all + http-equiv elements to HTTP headers, it is important that you + only enable it in cases where you trust the HTML content as much as you + trust the upstream server. If the HTML is controlled by bad actors, it + will be possible for them to inject arbitrary, possibly malicious, HTTP + headers into your server's responses. +