blob: dbcdfc6df6167144cb370dfd3299b94bf6f2b300 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
This patch has been copied from https://www.apache.org/security/asf-httpoxy-response.txt
as a mitigation of CVE-2016-5387.
Upstream-Status: Backport - fixed in 2.4.24
Signed-off-by: Joe Slater<jslater@windriver.com>
--- a/server/util_script.c (revision 1752426)
+++ b/server/util_script.c (working copy)
@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r
else if (!strcasecmp(hdrs[i].key, "Content-length")) {
apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
}
+ /* HTTP_PROXY collides with a popular envvar used to configure
+ * proxies, don't let clients set/override it. But, if you must...
+ */
+#ifndef SECURITY_HOLE_PASS_PROXY
+ else if (!strcasecmp(hdrs[i].key, "Proxy")) {
+ ;
+ }
+#endif
/*
* You really don't want to disable this check, since it leaves you
* wide open to CGIs stealing passwords and people viewing them
|
