equal
deleted
inserted
replaced
1 https://www.apache.org/security/asf-httpoxy-response.txt |
|
2 http://svn.apache.org/viewvc?view=revision&revision=1753228 |
|
3 http://svn.apache.org/viewvc?view=revision&revision=1753229 |
|
4 |
|
5 --- docs/conf/httpd.conf.in 2016/07/18 14:00:30 1753227 |
|
6 +++ docs/conf/httpd.conf.in 2016/07/18 14:07:00 1753228 |
|
7 @@ -283,6 +283,15 @@ |
|
8 Require all granted |
|
9 </Directory> |
|
10 |
|
11 +<IfModule headers_module> |
|
12 + # |
|
13 + # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied |
|
14 + # backend servers which have lingering "httpoxy" defects. |
|
15 + # 'Proxy' request header is undefined by the IETF, not listed by IANA |
|
16 + # |
|
17 + RequestHeader unset Proxy early |
|
18 +</IfModule> |
|
19 + |
|
20 <IfModule mime_module> |
|
21 # |
|
22 # TypesConfig points to the file containing the list of mappings from |
|
23 --- server/util_script.c 2016/07/18 14:00:30 1753227 |
|
24 +++ server/util_script.c 2016/07/18 14:07:00 1753228 |
|
25 @@ -186,6 +186,14 @@ |
|
26 else if (!strcasecmp(hdrs[i].key, "Content-length")) { |
|
27 apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val); |
|
28 } |
|
29 + /* HTTP_PROXY collides with a popular envvar used to configure |
|
30 + * proxies, don't let clients set/override it. But, if you must... |
|
31 + */ |
|
32 +#ifndef SECURITY_HOLE_PASS_PROXY |
|
33 + else if (!ap_cstr_casecmp(hdrs[i].key, "Proxy")) { |
|
34 + ; |
|
35 + } |
|
36 +#endif |
|
37 /* |
|
38 * You really don't want to disable this check, since it leaves you |
|
39 * wide open to CGIs stealing passwords and people viewing them |
|