HomePhabricator

Blanket reject request which may have been poisoned by a "Proxy" header to…

Description

Blanket reject request which may have been poisoned by a "Proxy" header to mitigate the httpoxy vulnerability

Summary:
See accompanying discussion in T11359.

As far as I can tell we aren't vulnerable, but subprocesses could be (now, or in the future). Reject any request which may have a Proxy: header.

This will also do a false-positive reject if HTTP_PROXY is defined in the environment, but this is likely a misconfiguration (cURL does not read it). I'll provide guidance on this.

Test Plan:

  • Made requests using curl -H Proxy:..., got rejected.
  • Made normal requests, got normal pages.

Reviewers: chad, avivey

Reviewed By: avivey

Differential Revision: https://secure.phabricator.com/D16318

Details

Provenance
epriestleyAuthored on Jul 22 2016, 12:22 AM
epriestleyPushed on Jul 22 2016, 3:18 AM
Reviewer
avivey
Differential Revision
D16318: Blanket reject request which may have been poisoned by a "Proxy" header to mitigate the httpoxy vulnerability
Parents
rP68904d941c54: bin/storage shell: force TCP
Branches
Unknown
Tags
Unknown
Build Status
Buildable 13117
Build 16776: Run Core Tests