mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-17 12:22:42 +01:00
Blanket reject request which may have been poisoned by a "Proxy" header to mitigate the httpoxy vulnerability
Summary: See accompanying discussion in T11359. As far as I can tell we aren't vulnerable, but subprocesses could be (now, or in the future). Reject any request which may have a `Proxy:` header. This will also do a false-positive reject if `HTTP_PROXY` is defined in the environment, but this is likely a misconfiguration (cURL does not read it). I'll provide guidance on this. Test Plan: - Made requests using `curl -H Proxy:...`, got rejected. - Made normal requests, got normal pages. Reviewers: chad, avivey Reviewed By: avivey Differential Revision: https://secure.phabricator.com/D16318
This commit is contained in:
parent
68904d941c
commit
fc950140b4
1 changed files with 8 additions and 1 deletions
|
@ -374,7 +374,7 @@ final class PhabricatorStartup {
|
|||
$http_error = 500);
|
||||
|
||||
error_log($log_message);
|
||||
echo $message;
|
||||
echo $message."\n";
|
||||
|
||||
exit(1);
|
||||
}
|
||||
|
@ -529,6 +529,13 @@ final class PhabricatorStartup {
|
|||
"Downgrade to version 3.1.13.");
|
||||
}
|
||||
}
|
||||
|
||||
if (isset($_SERVER['HTTP_PROXY'])) {
|
||||
self::didFatal(
|
||||
'This HTTP request included a "Proxy:" header, poisoning the '.
|
||||
'environment (CVE-2016-5385 / httpoxy). Declining to process this '.
|
||||
'request. For details, see: https://phurl.io/u/httpoxy');
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
|
Loading…
Reference in a new issue