Blanket reject request which may have been poisoned by a "Proxy" header to…
fc950140b4c1
Actions

Authored by epriestley <git@epriestley.com> on Jul 22 2016, 02:22.

Description

Blanket reject request which may have been poisoned by a "Proxy" header to mitigate the httpoxy vulnerability

Summary:
See accompanying discussion in T11359.

As far as I can tell we aren't vulnerable, but subprocesses could be (now, or in the future). Reject any request which may have a Proxy: header.

This will also do a false-positive reject if HTTP_PROXY is defined in the environment, but this is likely a misconfiguration (cURL does not read it). I'll provide guidance on this.

Test Plan:

Made requests using curl -H Proxy:..., got rejected.
Made normal requests, got normal pages.

Reviewers: chad, avivey

Reviewed By: avivey

Differential Revision: https://secure.phabricator.com/D16318

Details

Committed

epriestley <git@epriestley.com>

Jul 22 2016, 05:18

Pushed

aubort

Jan 31 2017, 17:16

Parents

rPH68904d941c54: bin/storage shell: force TCP

Branches

Unknown

Tags

Unknown

Event Timeline

epriestley <git@epriestley.com> committed rPHfc950140b4c1: Blanket reject request which may have been poisoned by a "Proxy" header to… (authored by epriestley <git@epriestley.com>).Jul 22 2016, 05:18

Changes (1)

				Path
	M			support/PhabricatorStartup.php

rPHfc950140b4c1

View Options

support/PhabricatorStartup.php