From fc950140b4c1cec0538573f4fc832d514347566c Mon Sep 17 00:00:00 2001
From: epriestley <git@epriestley.com>
Date: Thu, 21 Jul 2016 17:22:35 -0700
Subject: [PATCH] Blanket reject request which may have been poisoned by a
 "Proxy" header to mitigate the httpoxy vulnerability

Summary:
See accompanying discussion in T11359.

As far as I can tell we aren't vulnerable, but subprocesses could be (now, or in the future). Reject any request which may have a `Proxy:` header.

This will also do a false-positive reject if `HTTP_PROXY` is defined in the environment, but this is likely a misconfiguration (cURL does not read it). I'll provide guidance on this.

Test Plan:
  - Made requests using `curl -H Proxy:...`, got rejected.
  - Made normal requests, got normal pages.

Reviewers: chad, avivey

Reviewed By: avivey

Differential Revision: https://secure.phabricator.com/D16318
---
 support/PhabricatorStartup.php | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/support/PhabricatorStartup.php b/support/PhabricatorStartup.php
index 6c50ed603e..0a27a616e3 100644
--- a/support/PhabricatorStartup.php
+++ b/support/PhabricatorStartup.php
@@ -374,7 +374,7 @@ final class PhabricatorStartup {
       $http_error = 500);
 
     error_log($log_message);
-    echo $message;
+    echo $message."\n";
 
     exit(1);
   }
@@ -529,6 +529,13 @@ final class PhabricatorStartup {
           "Downgrade to version 3.1.13.");
       }
     }
+
+    if (isset($_SERVER['HTTP_PROXY'])) {
+      self::didFatal(
+        'This HTTP request included a "Proxy:" header, poisoning the '.
+        'environment (CVE-2016-5385 / httpoxy). Declining to process this '.
+        'request. For details, see: https://phurl.io/u/httpoxy');
+    }
   }