File apache2-cve-2016-5387.patch of Package apache2.18661

From 68e2a08a173f64758425bf13f684432fe50eec20 Mon Sep 17 00:00:00 2001
From: Peter Simons <psimons@suse.com>
Date: Wed, 13 Jul 2016 18:06:35 +0200
Subject: [PATCH] Don't translate "Proxy" HTTP headers into $HTTP_PROXY env
 vars (CVE-2016-5387).

ap_add_common_vars() provides a HTTP_FOO="..." environment variable for every
"Foo: ..." HTTP header received in the request. While this mechanism is useful
in general, there is potential for abuse by sending a header like

  Proxy: http://malicious-machine.example.org/

that would be translated into an environment variable

  HTTP_PROXY=http://malicious-machine.example.org/

for the request handler running on the server.
---
 server/util_script.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/server/util_script.c b/server/util_script.c
index 308e009..5fd800a 100644
--- a/server/util_script.c
+++ b/server/util_script.c
@@ -199,6 +199,9 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r)
             }
         }
 #endif
+        else if (!strcasecmp(hdrs[i].key, "Proxy")) {
+          continue;       /* Don't create HTTP_PROXY to avoid CVE-2016-5387. */
+        }
         else
             add_unless_null(e, http2env(r, hdrs[i].key), hdrs[i].val);
     }
-- 
2.9.0

openSUSE Build Service is sponsored by