Mercurial Mercurial > upstream > oracle > userland-gate / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
24311941 problem in UTILITY/APACHE s11u3-sru
authorPetr Sumbera <petr.sumbera@oracle.com>
Tue, 23 Aug 2016 07:01:29 -0700
branchs11u3-sru
changeset 6724 256d982fb18a
parent 6723 ec9e4505813f
child 6728 bac15af72b19
24311941 problem in UTILITY/APACHE
components/apache2/patches/httpoxy.patch file | annotate | diff | comparison | revisions
components/apache24/patches/httpoxy.patch file | annotate | diff | comparison | revisions 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/apache2/patches/httpoxy.patch	Tue Aug 23 07:01:29 2016 -0700
@@ -0,0 +1,38 @@
+https://www.apache.org/security/asf-httpoxy-response.txt
+http://svn.apache.org/viewvc?view=revision&revision=1756564
+
+--- docs/conf/httpd.conf.in	2012/02/06 16:54:24	1241075
++++ docs/conf/httpd.conf.in	2016/08/16 23:32:35	1756564
+@@ -284,6 +284,15 @@
+ #
+ DefaultType text/plain
+ 
++<IfModule headers_module>
++    #
++    # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
++    # backend servers which have lingering "httpoxy" defects.
++    # 'Proxy' request header is undefined by the IETF, not listed by IANA
++    #
++    RequestHeader unset Proxy early
++</IfModule>
++
+ <IfModule mime_module>
+     #
+     # TypesConfig points to the file containing the list of mappings from
+--- server/util_script.c	2012/08/21 17:42:49	1375683
++++ server/util_script.c	2016/08/16 23:32:35	1756564
+@@ -165,6 +165,14 @@
+         else if (!strcasecmp(hdrs[i].key, "Content-length")) {
+             apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
+         }
++        /* HTTP_PROXY collides with a popular envvar used to configure
++         * proxies, don't let clients set/override it.  But, if you must...
++         */
++#ifndef SECURITY_HOLE_PASS_PROXY
++        else if (!strcasecmp(hdrs[i].key, "Proxy")) {
++            ;
++        }
++#endif
+         /*
+          * You really don't want to disable this check, since it leaves you
+          * wide open to CGIs stealing passwords and people viewing them
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/apache24/patches/httpoxy.patch	Tue Aug 23 07:01:29 2016 -0700
@@ -0,0 +1,39 @@
+https://www.apache.org/security/asf-httpoxy-response.txt
+http://svn.apache.org/viewvc?view=revision&revision=1753228
+http://svn.apache.org/viewvc?view=revision&revision=1753229
+
+--- docs/conf/httpd.conf.in	2016/07/18 14:00:30	1753227
++++ docs/conf/httpd.conf.in	2016/07/18 14:07:00	1753228
+@@ -283,6 +283,15 @@
+     Require all granted
+ </Directory>
+ 
++<IfModule headers_module>
++    #
++    # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
++    # backend servers which have lingering "httpoxy" defects.
++    # 'Proxy' request header is undefined by the IETF, not listed by IANA
++    #
++    RequestHeader unset Proxy early
++</IfModule>
++
+ <IfModule mime_module>
+     #
+     # TypesConfig points to the file containing the list of mappings from
+--- server/util_script.c	2016/07/18 14:00:30	1753227
++++ server/util_script.c	2016/07/18 14:07:00	1753228
+@@ -186,6 +186,14 @@
+         else if (!strcasecmp(hdrs[i].key, "Content-length")) {
+             apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
+         }
++        /* HTTP_PROXY collides with a popular envvar used to configure
++         * proxies, don't let clients set/override it.  But, if you must...
++         */
++#ifndef SECURITY_HOLE_PASS_PROXY
++        else if (!ap_cstr_casecmp(hdrs[i].key, "Proxy")) {
++            ;
++        }
++#endif
+         /*
+          * You really don't want to disable this check, since it leaves you
+          * wide open to CGIs stealing passwords and people viewing them
upstream/oracle/userland-gate