Blanket reject request which may have been poisoned by a "Proxy" header to mitigate the httpoxy vulnerability
ClosedPublic
Actions

Authored by epriestley on Jul 22 2016, 12:25 AM.

Details

Reviewers

avivey
chad

Commits

rPfc950140b4c1: Blanket reject request which may have been poisoned by a "Proxy" header to…

Summary

See accompanying discussion in T11359.

As far as I can tell we aren't vulnerable, but subprocesses could be (now, or in the future). Reject any request which may have a Proxy: header.

This will also do a false-positive reject if HTTP_PROXY is defined in the environment, but this is likely a misconfiguration (cURL does not read it). I'll provide guidance on this.

Test Plan

Made requests using curl -H Proxy:..., got rejected.
Made normal requests, got normal pages.

Diff Detail

Repository

rP Phabricator

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

epriestley updated this revision to Diff 39239.Jul 22 2016, 12:25 AM

epriestley retitled this revision from to Blanket reject request which may have been poisoned by a "Proxy" header to mitigate the httpoxy vulnerability.

epriestley updated this object.

epriestley edited the test plan for this revision. (Show Details)

epriestley added reviewers: chad, avivey.

epriestley mentioned this in T11359: "httpoxy" HTTP Proxy Environmental Vulnerability.Jul 22 2016, 12:36 AM

epriestley updated this object.Jul 22 2016, 12:40 AM