From: Jacob Champion Date: Mon, 17 Oct 2016 19:33:51 +0000 (+0000) Subject: docs: add "threat model" warning to ProxyHTMLMeta X-Git-Tag: 2.5.0-alpha~1086 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f59b78d7973ed81d4ede8863be938be377589e45;p=apache docs: add "threat model" warning to ProxyHTMLMeta git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1765357 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/mod/mod_proxy_html.html.en b/docs/manual/mod/mod_proxy_html.html.en index 12573765f0..1c36816332 100644 --- a/docs/manual/mod/mod_proxy_html.html.en +++ b/docs/manual/mod/mod_proxy_html.html.en @@ -340,6 +340,15 @@ module for earlier 2.x versions. them to real HTTP headers, in keeping with the original purpose of this form of the HTML <meta> element.

+

Warning

+ Because ProxyHTMLMeta promotes all + http-equiv elements to HTTP headers, it is important that you + only enable it in cases where you trust the HTML content as much as you + trust the upstream server. If the HTML is controlled by bad actors, it + will be possible for them to inject arbitrary, possibly malicious, HTTP + headers into your server's responses. +
+
top

ProxyHTMLStripComments Directive

diff --git a/docs/manual/mod/mod_proxy_html.xml b/docs/manual/mod/mod_proxy_html.xml index 1498e860cf..da4957028c 100644 --- a/docs/manual/mod/mod_proxy_html.xml +++ b/docs/manual/mod/mod_proxy_html.xml @@ -88,6 +88,15 @@ module for earlier 2.x versions. <meta http-equiv=...> declarations and convert them to real HTTP headers, in keeping with the original purpose of this form of the HTML <meta> element.

+ + Warning + Because ProxyHTMLMeta promotes all + http-equiv elements to HTTP headers, it is important that you + only enable it in cases where you trust the HTML content as much as you + trust the upstream server. If the HTML is controlled by bad actors, it + will be possible for them to inject arbitrary, possibly malicious, HTTP + headers into your server's responses. +