source: trunk/server/common/patches/httpd-suexec-CVE-2016-5387.patch @ 2798

Last change on this file since 2798 was 2774, checked in by andersk, 8 years ago
Apply the 2015 suexec patch for CVE-2016-5387 “httpoxy”. Also remove our inexplicable whitelist entry for HTTPS_* environment variables.
File size: 1.3 KB
RevLine 
[2774]1------------------------------------------------------------------------
2r1659711 | sf | 2015-02-13 18:24:10 -0500 (Fri, 13 Feb 2015) | 4 lines
3
4suexec: Filter out HTTP_PROXY
5
6Some programs look there for the http proxy server.
7
8
9Index: support/suexec.c
10===================================================================
11--- support/suexec.c    (revision 1659710)
12+++ support/suexec.c    (revision 1659711)
13@@ -91,8 +91,8 @@
14 static const char *const safe_env_lst[] =
15 {
16     /* variable name starts with */
17-    "HTTP_",
18     "SSL_",
19+    /* "HTTP_" is handled specially in clean_env() */
20 
21     /* variable name is */
22     "AUTH_TYPE=",
23@@ -253,6 +253,20 @@
24     cidx++;
25 
26     for (ep = envp; *ep && cidx < AP_ENVBUF-1; ep++) {
27+        if (strncmp(*ep, "HTTP_", 5) == 0) {
28+            if (strncmp(*ep + 5, "PROXY=", 6) == 0) {
29+                /*
30+                * HTTP_PROXY is treated as alias for http_proxy by some
31+                * programs.
32+                */
33+            }
34+            else {
35+                /* Other HTTP_* are safe */
36+                cleanenv[cidx] = *ep;
37+                cidx++;
38+            }
39+            continue;
40+        }
41         for (idx = 0; safe_env_lst[idx]; idx++) {
42             if (!strncmp(*ep, safe_env_lst[idx],
43                          strlen(safe_env_lst[idx]))) {
44
45------------------------------------------------------------------------
Note: See TracBrowser for help on using the repository browser.