upstream/oracle/userland-gate: components/apache24/patches/httpoxy.patch@a17eef087a5e (annotated)

6724 256d982fb18a 24311941 problem in UTILITY/APACHE Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	1	https://www.apache.org/security/asf-httpoxy-response.txt
256d982fb18a 24311941 problem in UTILITY/APACHE Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	2	http://svn.apache.org/viewvc?view=revision&revision=1753228
256d982fb18a 24311941 problem in UTILITY/APACHE Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	3	http://svn.apache.org/viewvc?view=revision&revision=1753229
256d982fb18a 24311941 problem in UTILITY/APACHE Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	4
256d982fb18a 24311941 problem in UTILITY/APACHE Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	5	--- docs/conf/httpd.conf.in 2016/07/18 14:00:30 1753227
256d982fb18a 24311941 problem in UTILITY/APACHE Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	6	+++ docs/conf/httpd.conf.in 2016/07/18 14:07:00 1753228
256d982fb18a 24311941 problem in UTILITY/APACHE Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	7	@@ -283,6 +283,15 @@
256d982fb18a 24311941 problem in UTILITY/APACHE Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	8	Require all granted
256d982fb18a 24311941 problem in UTILITY/APACHE Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	9	</Directory>
256d982fb18a 24311941 problem in UTILITY/APACHE Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	10
256d982fb18a 24311941 problem in UTILITY/APACHE Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	11	+<IfModule headers_module>
256d982fb18a 24311941 problem in UTILITY/APACHE Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	12	+ #
256d982fb18a 24311941 problem in UTILITY/APACHE Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	13	+ # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
256d982fb18a 24311941 problem in UTILITY/APACHE Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	14	+ # backend servers which have lingering "httpoxy" defects.
256d982fb18a 24311941 problem in UTILITY/APACHE Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	15	+ # 'Proxy' request header is undefined by the IETF, not listed by IANA
256d982fb18a 24311941 problem in UTILITY/APACHE Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	16	+ #
256d982fb18a 24311941 problem in UTILITY/APACHE Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	17	+ RequestHeader unset Proxy early
256d982fb18a 24311941 problem in UTILITY/APACHE Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	18	+</IfModule>
256d982fb18a 24311941 problem in UTILITY/APACHE Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	19	+
256d982fb18a 24311941 problem in UTILITY/APACHE Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	20	<IfModule mime_module>
256d982fb18a 24311941 problem in UTILITY/APACHE Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	21	#
256d982fb18a 24311941 problem in UTILITY/APACHE Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	22	# TypesConfig points to the file containing the list of mappings from
256d982fb18a 24311941 problem in UTILITY/APACHE Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	23	--- server/util_script.c 2016/07/18 14:00:30 1753227
256d982fb18a 24311941 problem in UTILITY/APACHE Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	24	+++ server/util_script.c 2016/07/18 14:07:00 1753228
256d982fb18a 24311941 problem in UTILITY/APACHE Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	25	@@ -186,6 +186,14 @@
256d982fb18a 24311941 problem in UTILITY/APACHE Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	26	else if (!strcasecmp(hdrs[i].key, "Content-length")) {
256d982fb18a 24311941 problem in UTILITY/APACHE Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	27	apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
256d982fb18a 24311941 problem in UTILITY/APACHE Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	28	}
256d982fb18a 24311941 problem in UTILITY/APACHE Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	29	+ /* HTTP_PROXY collides with a popular envvar used to configure
256d982fb18a 24311941 problem in UTILITY/APACHE Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	30	+ * proxies, don't let clients set/override it. But, if you must...
256d982fb18a 24311941 problem in UTILITY/APACHE Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	31	+ */
256d982fb18a 24311941 problem in UTILITY/APACHE Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	32	+#ifndef SECURITY_HOLE_PASS_PROXY
256d982fb18a 24311941 problem in UTILITY/APACHE Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	33	+ else if (!ap_cstr_casecmp(hdrs[i].key, "Proxy")) {
256d982fb18a 24311941 problem in UTILITY/APACHE Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	34	+ ;
256d982fb18a 24311941 problem in UTILITY/APACHE Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	35	+ }
256d982fb18a 24311941 problem in UTILITY/APACHE Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	36	+#endif
256d982fb18a 24311941 problem in UTILITY/APACHE Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	37	/*
256d982fb18a 24311941 problem in UTILITY/APACHE Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	38	* You really don't want to disable this check, since it leaves you
256d982fb18a 24311941 problem in UTILITY/APACHE Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	39	* wide open to CGIs stealing passwords and people viewing them

author	pkidd <patrick.kidd@oracle.com>
	Thu, 01 Dec 2016 09:15:00 -0800
branch	s11u3-sru
changeset 7423	a17eef087a5e
parent 6724	256d982fb18a
permissions	-rw-r--r--