equal
deleted
inserted
replaced
1 https://www.apache.org/security/asf-httpoxy-response.txt |
|
2 http://svn.apache.org/viewvc?view=revision&revision=1756564 |
|
3 |
|
4 --- docs/conf/httpd.conf.in 2012/02/06 16:54:24 1241075 |
|
5 +++ docs/conf/httpd.conf.in 2016/08/16 23:32:35 1756564 |
|
6 @@ -284,6 +284,15 @@ |
|
7 # |
|
8 DefaultType text/plain |
|
9 |
|
10 +<IfModule headers_module> |
|
11 + # |
|
12 + # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied |
|
13 + # backend servers which have lingering "httpoxy" defects. |
|
14 + # 'Proxy' request header is undefined by the IETF, not listed by IANA |
|
15 + # |
|
16 + RequestHeader unset Proxy early |
|
17 +</IfModule> |
|
18 + |
|
19 <IfModule mime_module> |
|
20 # |
|
21 # TypesConfig points to the file containing the list of mappings from |
|
22 --- server/util_script.c 2012/08/21 17:42:49 1375683 |
|
23 +++ server/util_script.c 2016/08/16 23:32:35 1756564 |
|
24 @@ -165,6 +165,14 @@ |
|
25 else if (!strcasecmp(hdrs[i].key, "Content-length")) { |
|
26 apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val); |
|
27 } |
|
28 + /* HTTP_PROXY collides with a popular envvar used to configure |
|
29 + * proxies, don't let clients set/override it. But, if you must... |
|
30 + */ |
|
31 +#ifndef SECURITY_HOLE_PASS_PROXY |
|
32 + else if (!strcasecmp(hdrs[i].key, "Proxy")) { |
|
33 + ; |
|
34 + } |
|
35 +#endif |
|
36 /* |
|
37 * You really don't want to disable this check, since it leaves you |
|
38 * wide open to CGIs stealing passwords and people viewing them |
|