From: Yann Ylavic <ylavic@apache.org>
Date: Tue, 16 Aug 2016 23:12:07 +0000 (+0000)
Subject: Merge r1753228, r1753229 from trunk:
X-Git-Tag: 2.4.24~320
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b0ac59c9cf03a27dc657ab669d6f5e4488b26bce;p=apache

Merge r1753228, r1753229 from trunk:

httpoxy workarounds, first draft patch as published for all 2.2.x+ sources

Optimization to httpoxy workaround, for 2.4.23+ only.

Submitted by: Dominic Scheirlinck <dominic vendhq.com>, ylavic
Reviewed/backported by: wrowe, jim, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1756559 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 8cd8e86bbb..488907e8c8 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,9 @@
 
 Changes with Apache 2.4.24
 
+  *) core: CVE-2016-5387: Mitigate [f]cgi "httpoxy" issues.
+     [Dominic Scheirlinck <dominic vendhq.com>, Yann Ylavic]
+
   *) mod_proxy_fcgi: Fix 2.4.23 breakage for mod_rewrite per-dir and query 
      string showing up in SCRIPT_FILENAME. PR59815
 
diff --git a/STATUS b/STATUS
index ea2b7c5fdc..9092b79397 100644
--- a/STATUS
+++ b/STATUS
@@ -117,14 +117,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  *) core: CVE-2016-5387: Mitigate [f]cgi "httpoxy" issues
-      Trunk version of patch:
-         http://svn.apache.org/viewvc?rev=1753228&view=rev
-         http://svn.apache.org/viewvc?rev=1753229&view=rev
-      Backport version for 2.4.x of patch:
-         Trunk version of patch works (modulo CHANGES)
-      +1: wrowe, jim, ylavic
-
   *) mod_dav: Add support for childtags to dav_error.
      trunk patch: http://svn.apache.org/r1746207
      2.4.x: trunk works modulo CHANGES/MMN
diff --git a/docs/conf/httpd.conf.in b/docs/conf/httpd.conf.in
index 966d2c3a47..37d7c0b4f3 100644
--- a/docs/conf/httpd.conf.in
+++ b/docs/conf/httpd.conf.in
@@ -268,6 +268,15 @@ LogLevel warn
     Require all granted
 </Directory>
 
+<IfModule headers_module>
+    #
+    # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
+    # backend servers which have lingering "httpoxy" defects.
+    # 'Proxy' request header is undefined by the IETF, not listed by IANA
+    #
+    RequestHeader unset Proxy early
+</IfModule>
+
 <IfModule mime_module>
     #
     # TypesConfig points to the file containing the list of mappings from
diff --git a/server/util_script.c b/server/util_script.c
index 308e009a94..4121ae0aec 100644
--- a/server/util_script.c
+++ b/server/util_script.c
@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r)
         else if (!strcasecmp(hdrs[i].key, "Content-length")) {
             apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
         }
+        /* HTTP_PROXY collides with a popular envvar used to configure
+         * proxies, don't let clients set/override it.  But, if you must...
+         */
+#ifndef SECURITY_HOLE_PASS_PROXY
+        else if (!ap_cstr_casecmp(hdrs[i].key, "Proxy")) {
+            ;
+        }
+#endif
         /*
          * You really don't want to disable this check, since it leaves you
          * wide open to CGIs stealing passwords and people viewing them