apache2/patches/httpoxy.patch

https://www.apache.org/security/asf-httpoxy-response.txt
http://svn.apache.org/viewvc?view=revision&revision=1756564

--- docs/conf/httpd.conf.in 2012/02/06 16:54:24 1241075
+++ docs/conf/httpd.conf.in 2016/08/16 23:32:35 1756564
@@ -284,6 +284,15 @@
 #
 DefaultType text/plain

+<IfModule headers_module>
+    #
+    # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
+    # backend servers which have lingering "httpoxy" defects.
+    # 'Proxy' request header is undefined by the IETF, not listed by IANA
+    #
+    RequestHeader unset Proxy early
+</IfModule>
+
 <IfModule mime_module>
     #
     # TypesConfig points to the file containing the list of mappings from
--- server/util_script.c    2012/08/21 17:42:49 1375683
+++ server/util_script.c    2016/08/16 23:32:35 1756564
@@ -165,6 +165,14 @@
         else if (!strcasecmp(hdrs[i].key, "Content-length")) {
             apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
         }
+        /* HTTP_PROXY collides with a popular envvar used to configure
+         * proxies, don't let clients set/override it.  But, if you must...
+         */
+#ifndef SECURITY_HOLE_PASS_PROXY
+        else if (!strcasecmp(hdrs[i].key, "Proxy")) {
+            ;
+        }
+#endif
         /*
          * You really don't want to disable this check, since it leaves you
          * wide open to CGIs stealing passwords and people viewing them