Merge r1753228, r1753229 from trunk:

httpoxy workarounds, first draft patch as published for all 2.2.x+ sources

Optimization to httpoxy workaround, for 2.4.23+ only.

Submitted by: Dominic Scheirlinck <dominic vendhq.com>, ylavic
Reviewed/backported by: wrowe, jim, ylavic

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1756559 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 8cd8e86bbb296ce0051b47b9fbd060c8e12dd6d3..488907e8c89b068ca779ac5d56874e6fdf8f2be6 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,9 @@
 
 Changes with Apache 2.4.24
 
+  *) core: CVE-2016-5387: Mitigate [f]cgi "httpoxy" issues.
+     [Dominic Scheirlinck <dominic vendhq.com>, Yann Ylavic]
+
   *) mod_proxy_fcgi: Fix 2.4.23 breakage for mod_rewrite per-dir and query 
      string showing up in SCRIPT_FILENAME. PR59815
 

diff --git a/STATUS b/STATUS
index ea2b7c5fdca91afb8f393ac60e462c28ad326cda..9092b793974d7d18ddc6f88dae1617f4809a03d0 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -117,14 +117,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  *) core: CVE-2016-5387: Mitigate [f]cgi "httpoxy" issues
-      Trunk version of patch:
-         http://svn.apache.org/viewvc?rev=1753228&view=rev
-         http://svn.apache.org/viewvc?rev=1753229&view=rev
-      Backport version for 2.4.x of patch:
-         Trunk version of patch works (modulo CHANGES)
-      +1: wrowe, jim, ylavic
-
   *) mod_dav: Add support for childtags to dav_error.
      trunk patch: http://svn.apache.org/r1746207
      2.4.x: trunk works modulo CHANGES/MMN

diff --git a/docs/conf/httpd.conf.in b/docs/conf/httpd.conf.in
index 966d2c3a47741a930666538f43c1086997bfc292..37d7c0b4f34ee4ec5842641256e4af00bef3ea16 100644 (file)
--- a/docs/conf/httpd.conf.in
+++ b/docs/conf/httpd.conf.in
@@ -268,6 +268,15 @@ LogLevel warn
     Require all granted
 </Directory>
 
+<IfModule headers_module>
+    #
+    # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
+    # backend servers which have lingering "httpoxy" defects.
+    # 'Proxy' request header is undefined by the IETF, not listed by IANA
+    #
+    RequestHeader unset Proxy early
+</IfModule>
+
 <IfModule mime_module>
     #
     # TypesConfig points to the file containing the list of mappings from

diff --git a/server/util_script.c b/server/util_script.c
index 308e009a9463f28ce2d868beaa7d24b85f03305c..4121ae0aec1fe5c2095701618d54b387a212e0e7 100644 (file)
--- a/server/util_script.c
+++ b/server/util_script.c
@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r)
         else if (!strcasecmp(hdrs[i].key, "Content-length")) {
             apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
         }
+        /* HTTP_PROXY collides with a popular envvar used to configure
+         * proxies, don't let clients set/override it.  But, if you must...
+         */
+#ifndef SECURITY_HOLE_PASS_PROXY
+        else if (!ap_cstr_casecmp(hdrs[i].key, "Proxy")) {
+            ;
+        }
+#endif
         /*
          * You really don't want to disable this check, since it leaves you
          * wide open to CGIs stealing passwords and people viewing them