Page MenuHomePhabricator

Blanket reject request which may have been poisoned by a "Proxy" header to mitigate the httpoxy vulnerability
ClosedPublic

Authored by epriestley on Jul 22 2016, 12:25 AM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Dec 7, 4:53 PM
Unknown Object (File)
Tue, Dec 3, 2:33 AM
Unknown Object (File)
Sat, Nov 30, 7:27 PM
Unknown Object (File)
Wed, Nov 27, 11:18 AM
Unknown Object (File)
Mon, Nov 18, 8:32 PM
Unknown Object (File)
Nov 1 2024, 11:31 PM
Unknown Object (File)
Oct 27 2024, 10:26 AM
Unknown Object (File)
Oct 23 2024, 1:47 AM
Subscribers
None

Details

Summary

See accompanying discussion in T11359.

As far as I can tell we aren't vulnerable, but subprocesses could be (now, or in the future). Reject any request which may have a Proxy: header.

This will also do a false-positive reject if HTTP_PROXY is defined in the environment, but this is likely a misconfiguration (cURL does not read it). I'll provide guidance on this.

Test Plan
  • Made requests using curl -H Proxy:..., got rejected.
  • Made normal requests, got normal pages.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

epriestley retitled this revision from to Blanket reject request which may have been poisoned by a "Proxy" header to mitigate the httpoxy vulnerability.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added reviewers: chad, avivey.
avivey edited edge metadata.

lgtm

This revision is now accepted and ready to land.Jul 22 2016, 2:39 AM
This revision was automatically updated to reflect the committed changes.