Blanket reject request which may have been poisoned by a "Proxy" header to…
fc950140b4c1Unpublished
Actions

Unpublished Commit · Learn More

Repository Importing: This repository is still importing.

Description

Blanket reject request which may have been poisoned by a "Proxy" header to mitigate the httpoxy vulnerability

Summary:
See accompanying discussion in T11359.

As far as I can tell we aren't vulnerable, but subprocesses could be (now, or in the future). Reject any request which may have a Proxy: header.

This will also do a false-positive reject if HTTP_PROXY is defined in the environment, but this is likely a misconfiguration (cURL does not read it). I'll provide guidance on this.

Test Plan:

Made requests using curl -H Proxy:..., got rejected.
Made normal requests, got normal pages.

Reviewers: chad, avivey

Reviewed By: avivey

Differential Revision: https://secure.phabricator.com/D16318

Details

Provenance

epriestley <git@epriestley.com>

Authored on Jul 22 2016, 2:22 AM

Parents

rPHAB68904d941c54: bin/storage shell: force TCP

Branches

Unknown

Tags

Unknown

Event Timeline

epriestley <git@epriestley.com> committed rPHABfc950140b4c1: Blanket reject request which may have been poisoned by a "Proxy" header to… (authored by epriestley <git@epriestley.com>).Jul 22 2016, 5:18 AM

Changes (1)

Path

Size

support/

PhabricatorStartup.php

rPHABfc950140b4c1

View Options

support/PhabricatorStartup.php

Blanket reject request which may have been poisoned by a "Proxy" header to…fc950140b4c1UnpublishedActions