--- docs/conf/httpd.conf.in.orig 2015/10/09 23:25:02 1707831
+++ docs/conf/httpd.conf.in 2016/07/18 14:07:00 1753228
@@ -270,6 +270,15 @@
Require all granted
</Directory>
+<IfModule headers_module>
+ #
+ # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
+ # backend servers which have lingering "httpoxy" defects.
+ # 'Proxy' request header is undefined by the IETF, not listed by IANA
+ #
+ RequestHeader unset Proxy early
+</IfModule>
+
<IfModule mime_module>
#
# TypesConfig points to the file containing the list of mappings from
--- server/util_script.c.orig 2016/07/03 09:48:06 1751138
+++ server/util_script.c 2016/07/18 14:09:38 1753229
@@ -186,6 +186,14 @@
else if (!ap_cstr_casecmp(hdrs[i].key, "Content-length")) {
apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
}
+ /* HTTP_PROXY collides with a popular envvar used to configure
+ * proxies, don't let clients set/override it. But, if you must...
+ */
+#ifndef SECURITY_HOLE_PASS_PROXY
+ else if (!ap_cstr_casecmp(hdrs[i].key, "Proxy")) {
+ ;
+ }
+#endif
/*
* You really don't want to disable this check, since it leaves you
* wide open to CGIs stealing passwords and people viewing them