File apache2-cve-2016-5387.patch of Package apache2.10087

Overview Repositories Revisions Requests Users Attributes Meta

File apache2-cve-2016-5387.patch of Package apache2.10087

From 68e2a08a173f64758425bf13f684432fe50eec20 Mon Sep 17 00:00:00 2001
From: Peter Simons <psimons@suse.com>
Date: Wed, 13 Jul 2016 18:06:35 +0200
Subject: [PATCH] Don't translate "Proxy" HTTP headers into $HTTP_PROXY env
 vars (CVE-2016-5387).

ap_add_common_vars() provides a HTTP_FOO="..." environment variable for every
"Foo: ..." HTTP header received in the request. While this mechanism is useful
in general, there is potential for abuse by sending a header like

Proxy: http://malicious-machine.example.org/

that would be translated into an environment variable

HTTP_PROXY=http://malicious-machine.example.org/

for the request handler running on the server.
---
 server/util_script.c | 3 +++
 1 file changed, 3 insertions(+)

Index: httpd-2.4.10/server/util_script.c
===================================================================
--- httpd-2.4.10.orig/server/util_script.c	2016-07-13 19:35:08.393480311 +0200
+++ httpd-2.4.10/server/util_script.c	2016-07-13 19:35:08.485480038 +0200
@@ -191,6 +191,9 @@ AP_DECLARE(void) ap_add_common_vars(requ
             continue;
         }
 #endif
+        else if (!strcasecmp(hdrs[i].key, "Proxy")) {
+          continue;       /* Don't create HTTP_PROXY to avoid CVE-2016-5387. */
+        }
         else
             add_unless_null(e, http2env(r, hdrs[i].key), hdrs[i].val);
     }

Places

File apache2-cve-2016-5387.patch of Package apache2.10087

Places