mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-18 03:20:59 +01:00
Blanket reject request which may have been poisoned by a "Proxy" header to mitigate the httpoxy vulnerability
Summary: See accompanying discussion in T11359. As far as I can tell we aren't vulnerable, but subprocesses could be (now, or in the future). Reject any request which may have a `Proxy:` header. This will also do a false-positive reject if `HTTP_PROXY` is defined in the environment, but this is likely a misconfiguration (cURL does not read it). I'll provide guidance on this. Test Plan: - Made requests using `curl -H Proxy:...`, got rejected. - Made normal requests, got normal pages. Reviewers: chad, avivey Reviewed By: avivey Differential Revision: https://secure.phabricator.com/D16318
This commit is contained in:
parent
68904d941c
commit
fc950140b4
1 changed files with 8 additions and 1 deletions
|
@ -374,7 +374,7 @@ final class PhabricatorStartup {
|
||||||
$http_error = 500);
|
$http_error = 500);
|
||||||
|
|
||||||
error_log($log_message);
|
error_log($log_message);
|
||||||
echo $message;
|
echo $message."\n";
|
||||||
|
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
|
@ -529,6 +529,13 @@ final class PhabricatorStartup {
|
||||||
"Downgrade to version 3.1.13.");
|
"Downgrade to version 3.1.13.");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (isset($_SERVER['HTTP_PROXY'])) {
|
||||||
|
self::didFatal(
|
||||||
|
'This HTTP request included a "Proxy:" header, poisoning the '.
|
||||||
|
'environment (CVE-2016-5385 / httpoxy). Declining to process this '.
|
||||||
|
'request. For details, see: https://phurl.io/u/httpoxy');
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue