From dc141941f52cf74a3dd39ccad93f649876f6f19e Mon Sep 17 00:00:00 2001
From: Jacob Champion <jchampion@apache.org>
Date: Mon, 17 Oct 2016 20:15:35 +0000
Subject: [PATCH] Merge r1765357 from trunk:

docs: add "threat model" warning to ProxyHTMLMeta


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1765368 13f79535-47bb-0310-9956-ffa450edef68
---
 docs/manual/mod/mod_proxy_html.html.en | 9 +++++++++
 docs/manual/mod/mod_proxy_html.xml     | 9 +++++++++
 2 files changed, 18 insertions(+)

diff --git a/docs/manual/mod/mod_proxy_html.html.en b/docs/manual/mod/mod_proxy_html.html.en
index 28bea40bfb7..e6d10550d14 100644
--- a/docs/manual/mod/mod_proxy_html.html.en
+++ b/docs/manual/mod/mod_proxy_html.html.en
@@ -338,6 +338,15 @@ module for earlier 2.x versions.</td></tr>
     them to real HTTP headers, in keeping with the original purpose
     of this form of the HTML &lt;meta&gt; element.</p>
 
+    <div class="warning"><h3>Warning</h3>
+      Because ProxyHTMLMeta promotes <strong>all</strong>
+      <code>http-equiv</code> elements to HTTP headers, it is important that you
+      only enable it in cases where you trust the HTML content as much as you
+      trust the upstream server. If the HTML is controlled by bad actors, it
+      will be possible for them to inject arbitrary, possibly malicious, HTTP
+      headers into your server's responses.
+    </div>
+
 </div>
 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
 <div class="directive-section"><h2><a name="ProxyHTMLStripComments" id="ProxyHTMLStripComments">ProxyHTMLStripComments</a> <a name="proxyhtmlstripcomments" id="proxyhtmlstripcomments">Directive</a></h2>
diff --git a/docs/manual/mod/mod_proxy_html.xml b/docs/manual/mod/mod_proxy_html.xml
index bc0ee6e49ea..c687d69da21 100644
--- a/docs/manual/mod/mod_proxy_html.xml
+++ b/docs/manual/mod/mod_proxy_html.xml
@@ -88,6 +88,15 @@ module for earlier 2.x versions.</compatibility>
     <code>&lt;meta http-equiv=...&gt;</code> declarations and convert
     them to real HTTP headers, in keeping with the original purpose
     of this form of the HTML &lt;meta&gt; element.</p>
+
+    <note type="warning"><title>Warning</title>
+      Because ProxyHTMLMeta promotes <strong>all</strong>
+      <code>http-equiv</code> elements to HTTP headers, it is important that you
+      only enable it in cases where you trust the HTML content as much as you
+      trust the upstream server. If the HTML is controlled by bad actors, it
+      will be possible for them to inject arbitrary, possibly malicious, HTTP
+      headers into your server's responses.
+    </note>
 </usage>
 </directivesynopsis>
 
-- 
2.47.2