1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-18 19:40:55 +01:00
phorge-phorge/support
epriestley fc950140b4 Blanket reject request which may have been poisoned by a "Proxy" header to mitigate the httpoxy vulnerability
Summary:
See accompanying discussion in T11359.

As far as I can tell we aren't vulnerable, but subprocesses could be (now, or in the future). Reject any request which may have a `Proxy:` header.

This will also do a false-positive reject if `HTTP_PROXY` is defined in the environment, but this is likely a misconfiguration (cURL does not read it). I'll provide guidance on this.

Test Plan:
  - Made requests using `curl -H Proxy:...`, got rejected.
  - Made normal requests, got normal pages.

Reviewers: chad, avivey

Reviewed By: avivey

Differential Revision: https://secure.phabricator.com/D16318
2016-07-21 20:18:06 -07:00
..
aphlict/server Support Aphlict clustering 2016-04-14 13:26:30 -07:00
bin Ignore and README for support/bin 2013-04-03 12:58:39 -07:00
empty Various linter fixes. 2014-02-26 12:44:58 -08:00
lint Swap charts from gRaphael to D3 2016-02-01 10:36:59 -08:00
phame Delete license headers from files 2012-11-05 11:16:51 -08:00
PhabricatorStartup.php Blanket reject request which may have been poisoned by a "Proxy" header to mitigate the httpoxy vulnerability 2016-07-21 20:18:06 -07:00