Page MenuHomePhabricator

Blanket reject request which may have been poisoned by a "Proxy" header to mitigate the httpoxy vulnerability
ClosedPublic

Authored by epriestley on Jul 22 2016, 12:25 AM.
Tags
None
Referenced Files
Unknown Object (File)
Apr 3 2026, 12:58 AM
Unknown Object (File)
Mar 28 2026, 7:31 PM
Unknown Object (File)
Mar 20 2026, 7:49 AM
Unknown Object (File)
Mar 18 2026, 10:10 PM
Unknown Object (File)
Mar 8 2026, 4:00 PM
Unknown Object (File)
Mar 6 2026, 7:26 PM
Unknown Object (File)
Mar 3 2026, 8:34 PM
Unknown Object (File)
Feb 11 2026, 4:46 PM
Subscribers
None

Details

Summary

See accompanying discussion in T11359.

As far as I can tell we aren't vulnerable, but subprocesses could be (now, or in the future). Reject any request which may have a Proxy: header.

This will also do a false-positive reject if HTTP_PROXY is defined in the environment, but this is likely a misconfiguration (cURL does not read it). I'll provide guidance on this.

Test Plan
  • Made requests using curl -H Proxy:..., got rejected.
  • Made normal requests, got normal pages.

Diff Detail

Repository
rP Phabricator
Branch
httpoxy1
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 13116
Build 16775: Run Core Tests
Build 16774: arc lint + arc unit

Event Timeline

epriestley retitled this revision from to Blanket reject request which may have been poisoned by a "Proxy" header to mitigate the httpoxy vulnerability.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added reviewers: chad, avivey.
avivey edited edge metadata.

lgtm

This revision is now accepted and ready to land.Jul 22 2016, 2:39 AM
This revision was automatically updated to reflect the committed changes.