httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject Blacklisting HTTP_PROXY variable for CGIs?
Date Sun, 01 Feb 2015 08:04:50 GMT
Hi,

there are several programs that honor the HTTP_PROXY environment 
variable in upper case. This is of course problematic if such programs 
are called inside CGIs because the variable can be set by an attacker 
via the Proxy: header.

It goes without question that all these programs need to be fixed. But 
I think it would still be a good idea if httpd would not export the 
HTTP_PROXY variable to CGIs and other subprocesses (mod_include, etc.) 
by default. The easiest way to achieve this would be to modify the 
ap_add_common_vars() function. Probably there should be a config knob 
to revert to the old behavior. For now, a flag would beenough, but 
this could later be extended to allow to specify a list of variables.

Another place where HTTP_PROXY should be blacklisted is probably the 
suexec helper. This would of course not be configurable.

What do you think? If you agree, how should the config directive be 
called? BlacklistEnv (on/off for now but maybe a list of vars in the 
future)? 

Cheers,
Stefan


Mime
View raw message