Blanket reject request which may have been poisoned by a "Proxy" header to mitigate the httpoxy vulnerability
ClosedPublic
Actions

Authored by epriestley on Jul 22 2016, 12:25 AM.

Details

Reviewers

avivey
chad

Commits

rPfc950140b4c1: Blanket reject request which may have been poisoned by a "Proxy" header to…

Summary

See accompanying discussion in T11359.

As far as I can tell we aren't vulnerable, but subprocesses could be (now, or in the future). Reject any request which may have a Proxy: header.

This will also do a false-positive reject if HTTP_PROXY is defined in the environment, but this is likely a misconfiguration (cURL does not read it). I'll provide guidance on this.

Test Plan

Made requests using curl -H Proxy:..., got rejected.
Made normal requests, got normal pages.

Diff Detail

Repository

rP Phabricator

Branch

httpoxy1

Lint

Lint Passed

Unit

No Test Coverage

Build Status

Buildable 13116
Build 16775: Run Core Tests
Build 16774: arc lint + arc unit

Event Timeline

epriestley updated this revision to Diff 39239.Jul 22 2016, 12:25 AM

epriestley retitled this revision from to Blanket reject request which may have been poisoned by a "Proxy" header to mitigate the httpoxy vulnerability.

epriestley updated this object.

epriestley edited the test plan for this revision. (Show Details)

epriestley added reviewers: chad, avivey.

epriestley mentioned this in T11359: "httpoxy" HTTP Proxy Environmental Vulnerability.Jul 22 2016, 12:36 AM

epriestley updated this object.Jul 22 2016, 12:40 AM