From 235ee2ff4097373c1ce72c17d375c0423fbd73e9 Mon Sep 17 00:00:00 2001
From: "William A. Rowe Jr" <wrowe@apache.org>
Date: Mon, 18 Jul 2016 14:07:00 +0000
Subject: [PATCH] httpoxy workarounds, first draft patch as published for all
 2.2.x+ sources

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1753228 13f79535-47bb-0310-9956-ffa450edef68
---
 docs/conf/httpd.conf.in | 9 +++++++++
 server/util_script.c    | 8 ++++++++
 2 files changed, 17 insertions(+)

diff --git a/docs/conf/httpd.conf.in b/docs/conf/httpd.conf.in
index 2036685bfe..b793a79e00 100644
--- a/docs/conf/httpd.conf.in
+++ b/docs/conf/httpd.conf.in
@@ -270,6 +270,15 @@ LogLevel warn
     Require all granted
 </Directory>
 
+<IfModule headers_module>
+    #
+    # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
+    # backend servers which have lingering "httpoxy" defects.
+    # 'Proxy' request header is undefined by the IETF, not listed by IANA
+    #
+    RequestHeader unset Proxy early
+</IfModule>
+
 <IfModule mime_module>
     #
     # TypesConfig points to the file containing the list of mappings from
diff --git a/server/util_script.c b/server/util_script.c
index 5e071a2f84..3b047bcb1a 100644
--- a/server/util_script.c
+++ b/server/util_script.c
@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r)
         else if (!ap_cstr_casecmp(hdrs[i].key, "Content-length")) {
             apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
         }
+        /* HTTP_PROXY collides with a popular envvar used to configure
+         * proxies, don't let clients set/override it.  But, if you must...
+         */
+#ifndef SECURITY_HOLE_PASS_PROXY
+        else if (!strcasecmp(hdrs[i].key, "Proxy")) {
+            ;
+        }
+#endif
         /*
          * You really don't want to disable this check, since it leaves you
          * wide open to CGIs stealing passwords and people viewing them
-- 
2.50.1