mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-22 14:52:41 +01:00
fc950140b4
Summary: See accompanying discussion in T11359. As far as I can tell we aren't vulnerable, but subprocesses could be (now, or in the future). Reject any request which may have a `Proxy:` header. This will also do a false-positive reject if `HTTP_PROXY` is defined in the environment, but this is likely a misconfiguration (cURL does not read it). I'll provide guidance on this. Test Plan: - Made requests using `curl -H Proxy:...`, got rejected. - Made normal requests, got normal pages. Reviewers: chad, avivey Reviewed By: avivey Differential Revision: https://secure.phabricator.com/D16318 |
||
---|---|---|
.. | ||
aphlict/server | ||
bin | ||
empty | ||
lint | ||
phame | ||
PhabricatorStartup.php |