You are viewing a plain text version of this content. The canonical link for it is here.

Posted to cvs@httpd.apache.org by wr...@apache.org on 2016/07/18 14:07:00 UTC

svn commit: r1753228 - in /httpd/httpd/trunk: docs/conf/httpd.conf.in server/util_script.c

Author: wrowe
Date: Mon Jul 18 14:07:00 2016
New Revision: 1753228

URL: http://svn.apache.org/viewvc?rev=1753228&view=rev
Log:
httpoxy workarounds, first draft patch as published for all 2.2.x+ sources

Modified:
    httpd/httpd/trunk/docs/conf/httpd.conf.in
    httpd/httpd/trunk/server/util_script.c

Modified: httpd/httpd/trunk/docs/conf/httpd.conf.in
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/conf/httpd.conf.in?rev=1753228&r1=1753227&r2=1753228&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/conf/httpd.conf.in (original)
+++ httpd/httpd/trunk/docs/conf/httpd.conf.in Mon Jul 18 14:07:00 2016
@@ -270,6 +270,15 @@ LogLevel warn
     Require all granted
 </Directory>
 
+<IfModule headers_module>
+    #
+    # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
+    # backend servers which have lingering "httpoxy" defects.
+    # 'Proxy' request header is undefined by the IETF, not listed by IANA
+    #
+    RequestHeader unset Proxy early
+</IfModule>
+
 <IfModule mime_module>
     #
     # TypesConfig points to the file containing the list of mappings from

Modified: httpd/httpd/trunk/server/util_script.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/util_script.c?rev=1753228&r1=1753227&r2=1753228&view=diff
==============================================================================
--- httpd/httpd/trunk/server/util_script.c (original)
+++ httpd/httpd/trunk/server/util_script.c Mon Jul 18 14:07:00 2016
@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(requ
         else if (!ap_cstr_casecmp(hdrs[i].key, "Content-length")) {
             apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
         }
+        /* HTTP_PROXY collides with a popular envvar used to configure
+         * proxies, don't let clients set/override it.  But, if you must...
+         */
+#ifndef SECURITY_HOLE_PASS_PROXY
+        else if (!strcasecmp(hdrs[i].key, "Proxy")) {
+            ;
+        }
+#endif
         /*
          * You really don't want to disable this check, since it leaves you
          * wide open to CGIs stealing passwords and people viewing them