From f59b78d7973ed81d4ede8863be938be377589e45 Mon Sep 17 00:00:00 2001 From: Jacob Champion Date: Mon, 17 Oct 2016 19:33:51 +0000 Subject: [PATCH] docs: add "threat model" warning to ProxyHTMLMeta git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1765357 13f79535-47bb-0310-9956-ffa450edef68 --- docs/manual/mod/mod_proxy_html.html.en | 9 +++++++++ docs/manual/mod/mod_proxy_html.xml | 9 +++++++++ 2 files changed, 18 insertions(+) diff --git a/docs/manual/mod/mod_proxy_html.html.en b/docs/manual/mod/mod_proxy_html.html.en index 12573765f0..1c36816332 100644 --- a/docs/manual/mod/mod_proxy_html.html.en +++ b/docs/manual/mod/mod_proxy_html.html.en @@ -340,6 +340,15 @@ module for earlier 2.x versions. them to real HTTP headers, in keeping with the original purpose of this form of the HTML <meta> element.

+

Warning

+ Because ProxyHTMLMeta promotes all + http-equiv elements to HTTP headers, it is important that you + only enable it in cases where you trust the HTML content as much as you + trust the upstream server. If the HTML is controlled by bad actors, it + will be possible for them to inject arbitrary, possibly malicious, HTTP + headers into your server's responses. +
+
top

ProxyHTMLStripComments Directive

diff --git a/docs/manual/mod/mod_proxy_html.xml b/docs/manual/mod/mod_proxy_html.xml index 1498e860cf..da4957028c 100644 --- a/docs/manual/mod/mod_proxy_html.xml +++ b/docs/manual/mod/mod_proxy_html.xml @@ -88,6 +88,15 @@ module for earlier 2.x versions. <meta http-equiv=...> declarations and convert them to real HTTP headers, in keeping with the original purpose of this form of the HTML <meta> element.

+ + Warning + Because ProxyHTMLMeta promotes all + http-equiv elements to HTTP headers, it is important that you + only enable it in cases where you trust the HTML content as much as you + trust the upstream server. If the HTML is controlled by bad actors, it + will be possible for them to inject arbitrary, possibly malicious, HTTP + headers into your server's responses. + -- 2.50.1