author | pkidd <patrick.kidd@oracle.com> |
Thu, 01 Dec 2016 09:15:00 -0800 | |
branch | s11u3-sru |
changeset 7423 | a17eef087a5e |
parent 6724 | 256d982fb18a |
permissions | -rw-r--r-- |
6724
256d982fb18a
24311941 problem in UTILITY/APACHE
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
1 |
https://www.apache.org/security/asf-httpoxy-response.txt |
256d982fb18a
24311941 problem in UTILITY/APACHE
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
2 |
http://svn.apache.org/viewvc?view=revision&revision=1753228 |
256d982fb18a
24311941 problem in UTILITY/APACHE
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
3 |
http://svn.apache.org/viewvc?view=revision&revision=1753229 |
256d982fb18a
24311941 problem in UTILITY/APACHE
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
4 |
|
256d982fb18a
24311941 problem in UTILITY/APACHE
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
5 |
--- docs/conf/httpd.conf.in 2016/07/18 14:00:30 1753227 |
256d982fb18a
24311941 problem in UTILITY/APACHE
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
6 |
+++ docs/conf/httpd.conf.in 2016/07/18 14:07:00 1753228 |
256d982fb18a
24311941 problem in UTILITY/APACHE
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
7 |
@@ -283,6 +283,15 @@ |
256d982fb18a
24311941 problem in UTILITY/APACHE
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
8 |
Require all granted |
256d982fb18a
24311941 problem in UTILITY/APACHE
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
9 |
</Directory> |
256d982fb18a
24311941 problem in UTILITY/APACHE
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
10 |
|
256d982fb18a
24311941 problem in UTILITY/APACHE
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
11 |
+<IfModule headers_module> |
256d982fb18a
24311941 problem in UTILITY/APACHE
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
12 |
+ # |
256d982fb18a
24311941 problem in UTILITY/APACHE
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
13 |
+ # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied |
256d982fb18a
24311941 problem in UTILITY/APACHE
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
14 |
+ # backend servers which have lingering "httpoxy" defects. |
256d982fb18a
24311941 problem in UTILITY/APACHE
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
15 |
+ # 'Proxy' request header is undefined by the IETF, not listed by IANA |
256d982fb18a
24311941 problem in UTILITY/APACHE
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
16 |
+ # |
256d982fb18a
24311941 problem in UTILITY/APACHE
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
17 |
+ RequestHeader unset Proxy early |
256d982fb18a
24311941 problem in UTILITY/APACHE
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
18 |
+</IfModule> |
256d982fb18a
24311941 problem in UTILITY/APACHE
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
19 |
+ |
256d982fb18a
24311941 problem in UTILITY/APACHE
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
20 |
<IfModule mime_module> |
256d982fb18a
24311941 problem in UTILITY/APACHE
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
21 |
# |
256d982fb18a
24311941 problem in UTILITY/APACHE
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
22 |
# TypesConfig points to the file containing the list of mappings from |
256d982fb18a
24311941 problem in UTILITY/APACHE
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
23 |
--- server/util_script.c 2016/07/18 14:00:30 1753227 |
256d982fb18a
24311941 problem in UTILITY/APACHE
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
24 |
+++ server/util_script.c 2016/07/18 14:07:00 1753228 |
256d982fb18a
24311941 problem in UTILITY/APACHE
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
25 |
@@ -186,6 +186,14 @@ |
256d982fb18a
24311941 problem in UTILITY/APACHE
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
26 |
else if (!strcasecmp(hdrs[i].key, "Content-length")) { |
256d982fb18a
24311941 problem in UTILITY/APACHE
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
27 |
apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val); |
256d982fb18a
24311941 problem in UTILITY/APACHE
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
28 |
} |
256d982fb18a
24311941 problem in UTILITY/APACHE
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
29 |
+ /* HTTP_PROXY collides with a popular envvar used to configure |
256d982fb18a
24311941 problem in UTILITY/APACHE
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
30 |
+ * proxies, don't let clients set/override it. But, if you must... |
256d982fb18a
24311941 problem in UTILITY/APACHE
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
31 |
+ */ |
256d982fb18a
24311941 problem in UTILITY/APACHE
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
32 |
+#ifndef SECURITY_HOLE_PASS_PROXY |
256d982fb18a
24311941 problem in UTILITY/APACHE
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
33 |
+ else if (!ap_cstr_casecmp(hdrs[i].key, "Proxy")) { |
256d982fb18a
24311941 problem in UTILITY/APACHE
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
34 |
+ ; |
256d982fb18a
24311941 problem in UTILITY/APACHE
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
35 |
+ } |
256d982fb18a
24311941 problem in UTILITY/APACHE
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
36 |
+#endif |
256d982fb18a
24311941 problem in UTILITY/APACHE
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
37 |
/* |
256d982fb18a
24311941 problem in UTILITY/APACHE
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
38 |
* You really don't want to disable this check, since it leaves you |
256d982fb18a
24311941 problem in UTILITY/APACHE
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
39 |
* wide open to CGIs stealing passwords and people viewing them |