1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-18 03:20:59 +01:00

Blanket reject request which may have been poisoned by a "Proxy" header to mitigate the httpoxy vulnerability

Summary:
See accompanying discussion in T11359.

As far as I can tell we aren't vulnerable, but subprocesses could be (now, or in the future). Reject any request which may have a `Proxy:` header.

This will also do a false-positive reject if `HTTP_PROXY` is defined in the environment, but this is likely a misconfiguration (cURL does not read it). I'll provide guidance on this.

Test Plan:
  - Made requests using `curl -H Proxy:...`, got rejected.
  - Made normal requests, got normal pages.

Reviewers: chad, avivey

Reviewed By: avivey

Differential Revision: https://secure.phabricator.com/D16318
This commit is contained in:
epriestley 2016-07-21 17:22:35 -07:00
parent 68904d941c
commit fc950140b4

View file

@ -374,7 +374,7 @@ final class PhabricatorStartup {
$http_error = 500);
error_log($log_message);
echo $message;
echo $message."\n";
exit(1);
}
@ -529,6 +529,13 @@ final class PhabricatorStartup {
"Downgrade to version 3.1.13.");
}
}
if (isset($_SERVER['HTTP_PROXY'])) {
self::didFatal(
'This HTTP request included a "Proxy:" header, poisoning the '.
'environment (CVE-2016-5385 / httpoxy). Declining to process this '.
'request. For details, see: https://phurl.io/u/httpoxy');
}
}