File lighttpd-1.4.x_httpoxy.patch of Package lighttpd.4364

commit 779c133c16f9af168b004dce7a2a64f16c1cb3a4
Author: Glenn Strauss <gstrauss@gluelogic.com>
Date:   Mon Jul 18 22:59:33 2016 -0400

    [security] do not emit HTTP_PROXY to CGI env
    
    Strip bogus "Proxy" header before creating subprocess environment.
    (mod_cgi, mod_fastcgi, mod_scgi, mod_ssi, mod_proxy)
    
    Do not emit HTTP_PROXY to subprocess environment.
    Some executables use HTTP_PROXY to configure outgoing proxy.
    
    This is not a lighttpd security issue per se, but this change to
    lighttpd adds a layer of defense to protect backend processes which
    might be vulnerable due to blindly using this untrusted environment
    variable.  The HTTP_PROXY environment variable should not be trusted
    by a program running in a CGI-like environment.
    
    Mitigation in lighttpd <= 1.4.40 is to reject requests w/ Proxy header:
    
    * Create "/path/to/deny-proxy.lua", read-only to lighttpd, with content:
      if (lighty.request["Proxy"] == nil) then return 0 else return 403 end
    * Modify lighttpd.conf to load mod_magnet and run lua code
        server.modules += ( "mod_magnet" )
        magnet.attract-raw-url-to = ( "/path/to/deny-proxy.lua" )
    
    References:
    
    https://www.kb.cert.org/vuls/id/797896
    CGI web servers assign Proxy header values from client requests to
    internal HTTP_PROXY environment variables
    
    https://httpoxy.org/
    httpoxy: A CGI application vulnerability

Index: lighttpd-1.4.35/src/mod_cgi.c
===================================================================
--- lighttpd-1.4.35.orig/src/mod_cgi.c	2014-03-06 15:08:00.000000000 +0100
+++ lighttpd-1.4.35/src/mod_cgi.c	2017-03-06 15:45:04.752849559 +0100
@@ -950,6 +950,12 @@ static int cgi_create_env(server *srv, c
 			ds = (data_string *)con->request.headers->data[n];
 
 			if (ds->value->used && ds->key->used) {
+				/* Do not emit HTTP_PROXY in environment.
+				 * Some executables use HTTP_PROXY to configure
+				 * outgoing proxy.  See also https://httpoxy.org/ */
+				if (buffer_is_equal_caseless_string(ds->key, CONST_STR_LEN("Proxy"))) {
+					continue;
+				}
 				size_t j;
 
 				buffer_reset(p->tmp_buf);
Index: lighttpd-1.4.35/src/mod_fastcgi.c
===================================================================
--- lighttpd-1.4.35.orig/src/mod_fastcgi.c	2014-03-06 15:08:00.000000000 +0100
+++ lighttpd-1.4.35/src/mod_fastcgi.c	2017-03-06 15:45:23.964877000 +0100
@@ -1778,6 +1778,12 @@ static int fcgi_env_add_request_headers(
 		ds = (data_string *)con->request.headers->data[i];
 
 		if (ds->value->used && ds->key->used) {
+			/* Do not emit HTTP_PROXY in environment.
+			 * Some executables use HTTP_PROXY to configure
+			 * outgoing proxy.  See also https://httpoxy.org/ */
+			if (buffer_is_equal_caseless_string(ds->key, CONST_STR_LEN("Proxy"))) {
+				continue;
+			}
 			size_t j;
 			buffer_reset(srv->tmp_buf);
 
Index: lighttpd-1.4.35/src/mod_proxy.c
===================================================================
--- lighttpd-1.4.35.orig/src/mod_proxy.c	2014-03-06 15:08:00.000000000 +0100
+++ lighttpd-1.4.35/src/mod_proxy.c	2017-03-06 15:45:28.376883302 +0100
@@ -476,6 +476,10 @@ static int proxy_create_env(server *srv,
 		if (ds->value->used && ds->key->used) {
 			if (buffer_is_equal_string(ds->key, CONST_STR_LEN("Connection"))) continue;
 			if (buffer_is_equal_string(ds->key, CONST_STR_LEN("Proxy-Connection"))) continue;
+			/* Do not emit HTTP_PROXY in environment.
+			 * Some executables use HTTP_PROXY to configure
+			 * outgoing proxy.  See also https://httpoxy.org/ */
+			if (buffer_is_equal_caseless_string(ds->key, CONST_STR_LEN("Proxy"))) continue;
 
 			buffer_append_string_buffer(b, ds->key);
 			buffer_append_string_len(b, CONST_STR_LEN(": "));
Index: lighttpd-1.4.35/src/mod_scgi.c
===================================================================
--- lighttpd-1.4.35.orig/src/mod_scgi.c	2014-03-06 15:08:00.000000000 +0100
+++ lighttpd-1.4.35/src/mod_scgi.c	2017-03-06 15:45:55.656922268 +0100
@@ -1425,6 +1425,12 @@ static int scgi_env_add_request_headers(
 		ds = (data_string *)con->request.headers->data[i];
 
 		if (ds->value->used && ds->key->used) {
+			/* Do not emit HTTP_PROXY in environment.
+			 * Some executables use HTTP_PROXY to configure
+			 * outgoing proxy.  See also https://httpoxy.org/ */
+			if (buffer_is_equal_caseless_string(ds->key, CONST_STR_LEN("Proxy"))) {
+				continue;
+			}
 			size_t j;
 			buffer_reset(srv->tmp_buf);
 
Index: lighttpd-1.4.35/src/mod_ssi.c
===================================================================
--- lighttpd-1.4.35.orig/src/mod_ssi.c	2014-03-06 15:08:00.000000000 +0100
+++ lighttpd-1.4.35/src/mod_ssi.c	2017-03-06 15:36:19.960102713 +0100
@@ -177,7 +177,14 @@ static int ssi_env_add_request_headers(s
 			buffer_reset(srv->tmp_buf);
 
 			/* don't forward the Authorization: Header */
-			if (0 == strcasecmp(ds->key->ptr, "AUTHORIZATION")) {
+			if (buffer_is_equal_caseless_string(ds->key, CONST_STR_LEN("Authorization"))) {
+				continue;
+			}
+
+			/* Do not emit HTTP_PROXY in environment.
+			 * Some executables use HTTP_PROXY to configure
+			 * outgoing proxy.  See also https://httpoxy.org/ */
+			if (buffer_is_equal_caseless_string(ds->key, CONST_STR_LEN("Proxy"))) {
 				continue;
 			}