httpoxy workarounds, first draft patch as published for all 2.2.x+ sources

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1753228 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/docs/conf/httpd.conf.in b/docs/conf/httpd.conf.in
index 2036685bfeaf12c98c2fa8d69a72e359ef618146..b793a79e00de117ceba63871dbdb1cfcc0616cbd 100644 (file)
--- a/docs/conf/httpd.conf.in
+++ b/docs/conf/httpd.conf.in
@@ -270,6 +270,15 @@ LogLevel warn
     Require all granted
 </Directory>
 
+<IfModule headers_module>
+    #
+    # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
+    # backend servers which have lingering "httpoxy" defects.
+    # 'Proxy' request header is undefined by the IETF, not listed by IANA
+    #
+    RequestHeader unset Proxy early
+</IfModule>
+
 <IfModule mime_module>
     #
     # TypesConfig points to the file containing the list of mappings from

diff --git a/server/util_script.c b/server/util_script.c
index 5e071a2f84054d57912f73c5c8834699ba633649..3b047bcb1a5e6d9fa5e3f1cabfc3d6b225b4b5d7 100644 (file)
--- a/server/util_script.c
+++ b/server/util_script.c
@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r)
         else if (!ap_cstr_casecmp(hdrs[i].key, "Content-length")) {
             apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
         }
+        /* HTTP_PROXY collides with a popular envvar used to configure
+         * proxies, don't let clients set/override it.  But, if you must...
+         */
+#ifndef SECURITY_HOLE_PASS_PROXY
+        else if (!strcasecmp(hdrs[i].key, "Proxy")) {
+            ;
+        }
+#endif
         /*
          * You really don't want to disable this check, since it leaves you
          * wide open to CGIs stealing passwords and people viewing them