File apache2-cve-2016-5387.patch of Package apache2.21267
From 68e2a08a173f64758425bf13f684432fe50eec20 Mon Sep 17 00:00:00 2001
From: Peter Simons <psimons@suse.com>
Date: Wed, 13 Jul 2016 18:06:35 +0200
Subject: [PATCH] Don't translate "Proxy" HTTP headers into $HTTP_PROXY env
vars (CVE-2016-5387).
ap_add_common_vars() provides a HTTP_FOO="..." environment variable for every
"Foo: ..." HTTP header received in the request. While this mechanism is useful
in general, there is potential for abuse by sending a header like
Proxy: http://malicious-machine.example.org/
that would be translated into an environment variable
HTTP_PROXY=http://malicious-machine.example.org/
for the request handler running on the server.
---
server/util_script.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/server/util_script.c b/server/util_script.c
index 308e009..5fd800a 100644
--- a/server/util_script.c
+++ b/server/util_script.c
@@ -199,6 +199,9 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r)
}
}
#endif
+ else if (!strcasecmp(hdrs[i].key, "Proxy")) {
+ continue; /* Don't create HTTP_PROXY to avoid CVE-2016-5387. */
+ }
else
add_unless_null(e, http2env(r, hdrs[i].key), hdrs[i].val);
}
--
2.9.0