source: trunk/server/common/patches/httpd-suexec-CVE-2016-5387.patch @ 2820

Last change on this file since 2820 was 2774, checked in by andersk, 8 years ago
Apply the 2015 suexec patch for CVE-2016-5387 “httpoxy”. Also remove our inexplicable whitelist entry for HTTPS_* environment variables.
File size: 1.3 KB

  • support/suexec.c 

    ------------------------------------------------------------------------
r1659711 | sf | 2015-02-13 18:24:10 -0500 (Fri, 13 Feb 2015) | 4 lines

suexec: Filter out HTTP_PROXY

Some programs look there for the http proxy server.
     
    9191static const char *const safe_env_lst[] =
    9292{
    9393    /* variable name starts with */
    94     "HTTP_",
    9594    "SSL_",
     95    /* "HTTP_" is handled specially in clean_env() */
    9696
    9797    /* variable name is */
    9898    "AUTH_TYPE=",
     
    253253    cidx++;
    254254
    255255    for (ep = envp; *ep && cidx < AP_ENVBUF-1; ep++) {
     256        if (strncmp(*ep, "HTTP_", 5) == 0) {
     257            if (strncmp(*ep + 5, "PROXY=", 6) == 0) {
     258                /*
     259                 * HTTP_PROXY is treated as alias for http_proxy by some
     260                 * programs.
     261                 */
     262            }
     263            else {
     264                /* Other HTTP_* are safe */
     265                cleanenv[cidx] = *ep;
     266                cidx++;
     267            }
     268            continue;
     269        }
    256270        for (idx = 0; safe_env_lst[idx]; idx++) {
    257271            if (!strncmp(*ep, safe_env_lst[idx],
    258272                         strlen(safe_env_lst[idx]))) {
Note: See TracBrowser for help on using the repository browser.