www/apache22/patches/patch-server_util__script.c


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

$NetBSD: patch-server_util__script.c,v 1.1 2016/07/29 11:10:24 wiz Exp $

Fix httpoxy vulnerability.
https://www.apache.org/security/asf-httpoxy-response.txt

--- server/util_script.c.orig	2012-08-21 17:42:49.000000000 +0000
+++ server/util_script.c
@@ -165,6 +165,14 @@ AP_DECLARE(void) ap_add_common_vars(requ
         else if (!strcasecmp(hdrs[i].key, "Content-length")) {
             apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
         }
+        /* HTTP_PROXY collides with a popular envvar used to configure
+         * proxies, don't let clients set/override it.  But, if you must...
+         */
+#ifndef SECURITY_HOLE_PASS_PROXY
+        else if (!strcasecmp(hdrs[i].key, "Proxy")) {
+            ;
+        }
+#endif
         /*
          * You really don't want to disable this check, since it leaves you
          * wide open to CGIs stealing passwords and people viewing them