Blanket reject request which may have been poisoned by a "Proxy" header to mitigate the httpoxy vulnerability

Summary: See accompanying discussion in T11359. As far as I can tell we aren't vulnerable, but subprocesses could be (now, or in the future). Reject any request which may have a `Proxy:` header. This will also do a false-positive reject if `HTTP_PROXY` is defined in the environment, but this is likely a misconfiguration (cURL does not read it). I'll provide guidance on this. Test Plan: - Made requests using `curl -H Proxy:...`, got rejected. - Made normal requests, got normal pages. Reviewers: chad, avivey Reviewed By: avivey Differential Revision: https://secure.phabricator.com/D16318
2024-11-09 16:32:39 +01:00 · 2016-07-21 17:22:35 -07:00 · 2016-07-21 17:22:35 -07:00 · fc950140b4
commit fc950140b4
parent 68904d941c
1 changed files with 8 additions and 1 deletions
--- a/support/PhabricatorStartup.php
+++ b/support/PhabricatorStartup.php
@ -374,7 +374,7 @@ final class PhabricatorStartup {
      $http_error = 500);

    error_log($log_message);
-    echo $message;
+    echo $message."\n";

    exit(1);
  }
@ -529,6 +529,13 @@ final class PhabricatorStartup {
          "Downgrade to version 3.1.13.");
      }
    }
+
+    if (isset($_SERVER['HTTP_PROXY'])) {
+      self::didFatal(
+        'This HTTP request included a "Proxy:" header, poisoning the '.
+        'environment (CVE-2016-5385 / httpoxy). Declining to process this '.
+        'request. For details, see: https://phurl.io/u/httpoxy');
+    }
  }