From 1b91e91194a095ea922f96d1dccddf6fbc446e54 Mon Sep 17 00:00:00 2001
From: Mark Thomas <markt@apache.org>
Date: Fri, 19 Aug 2016 16:56:33 +0000
Subject: [PATCH] Add a new initialisation parameter, envHttpHeaders, to the
 CGI Servlet to mitigate httpoxy (CVE-2016-5388) by default and to provide a
 mechanism that can be used to mitigate any future, similar issues.

git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc8.5.x/trunk@1756940 13f79535-47bb-0310-9956-ffa450edef68
---
 conf/web.xml                                  | 11 ++++++++-
 .../apache/catalina/servlets/CGIServlet.java  | 23 ++++++++++++++-----
 webapps/docs/cgi-howto.xml                    |  6 +++++
 webapps/docs/changelog.xml                    |  7 ++++++
 4 files changed, 40 insertions(+), 7 deletions(-)

diff --git a/conf/web.xml b/conf/web.xml
index 7da15fc49d7..e61b8b811b1 100644
--- a/conf/web.xml
+++ b/conf/web.xml
@@ -334,6 +334,15 @@
   <!--   executable           Name of the executable used to run the        -->
   <!--                        script. [perl]                                -->
   <!--                                                                      -->
+  <!--   envHttpHeaders       A regular expression used to select the HTTP  -->
+  <!--                        headers passed to the CGI process as          -->
+  <!--                        environment variables. Note that headers are  -->
+  <!--                        converted to upper case before matching and   -->
+  <!--                        that the entire header name must match the    -->
+  <!--                        pattern.                                      -->
+  <!--                        [ACCEPT[-0-9A-Z]*|CACHE-CONTROL|COOKIE|HOST|  -->
+  <!--                         IF-[-0-9A-Z]*|REFERER|USER-AGENT]            -->
+  <!--                                                                      -->
   <!--   parameterEncoding    Name of parameter encoding to be used with    -->
   <!--                        CGI servlet.                                  -->
   <!--                        [System.getProperty("file.encoding","UTF-8")] -->
@@ -353,7 +362,7 @@
           <param-name>cgiPathPrefix</param-name>
           <param-value>WEB-INF/cgi</param-value>
         </init-param>
-         <load-on-startup>5</load-on-startup>
+        <load-on-startup>5</load-on-startup>
     </servlet>
 -->
 
diff --git a/java/org/apache/catalina/servlets/CGIServlet.java b/java/org/apache/catalina/servlets/CGIServlet.java
index 15dbf0efb25..d3746d5d447 100644
--- a/java/org/apache/catalina/servlets/CGIServlet.java
+++ b/java/org/apache/catalina/servlets/CGIServlet.java
@@ -35,6 +35,7 @@
 import java.util.Map.Entry;
 import java.util.StringTokenizer;
 import java.util.Vector;
+import java.util.regex.Pattern;
 
 import javax.servlet.RequestDispatcher;
 import javax.servlet.ServletConfig;
@@ -265,6 +266,16 @@ public final class CGIServlet extends HttpServlet {
      */
     private long stderrTimeout = 2000;
 
+    /**
+     * The regular expression used to select HTTP headers to be passed to the
+     * CGI process as environment variables. The name of the environment
+     * variable will be the name of the HTTP header converter to upper case,
+     * prefixed with <code>HTTP_</code> and with all <code>-</code> characters
+     * converted to <code>_</code>.
+     */
+    private Pattern envHttpHeadersPattern = Pattern.compile(
+            "ACCEPT[-0-9A-Z]*|CACHE-CONTROL|COOKIE|HOST|IF-[-0-9A-Z]*|REFERER|USER-AGENT");
+
     /** object used to ensure multiple threads don't try to expand same file */
     private static final Object expandFileLock = new Object();
 
@@ -326,6 +337,10 @@ public void init(ServletConfig config) throws ServletException {
                     "stderrTimeout"));
         }
 
+        if (getServletConfig().getInitParameter("envHttpHeaders") != null) {
+            envHttpHeadersPattern =
+                    Pattern.compile(getServletConfig().getInitParameter("envHttpHeaders"));
+        }
     }
 
 
@@ -963,12 +978,8 @@ protected boolean setCGIEnvironment(HttpServletRequest req) throws IOException {
                 //REMIND: rewrite multiple headers as if received as single
                 //REMIND: change character set
                 //REMIND: I forgot what the previous REMIND means
-                if ("AUTHORIZATION".equalsIgnoreCase(header) ||
-                    "PROXY_AUTHORIZATION".equalsIgnoreCase(header)) {
-                    //NOOP per CGI specification section 11.2
-                } else {
-                    envp.put("HTTP_" + header.replace('-', '_'),
-                             req.getHeader(header));
+                if (envHttpHeadersPattern.matcher(header).matches()) {
+                    envp.put("HTTP_" + header.replace('-', '_'), req.getHeader(header));
                 }
             }
 
diff --git a/webapps/docs/cgi-howto.xml b/webapps/docs/cgi-howto.xml
index ef41f4c061c..b473c164041 100644
--- a/webapps/docs/cgi-howto.xml
+++ b/webapps/docs/cgi-howto.xml
@@ -103,6 +103,12 @@ if your script is itself executable (e.g. an exe file). Default is
 <li><strong>executable-arg-1</strong>, <strong>executable-arg-2</strong>,
 and so on - additional arguments for the executable. These precede the
 CGI script name. By default there are no additional arguments.</li>
+<li><strong>envHttpHeaders</strong> - A regular expression used to select the
+HTTP headers passed to the CGI process as environment variables. Note that
+headers are converted to upper case before matching and that the entire header
+name must match the pattern. Default is
+<code>ACCEPT[-0-9A-Z]*|CACHE-CONTROL|COOKIE|HOST|IF-[-0-9A-Z]*|REFERER|USER-AGENT</code>
+</li>
 <li><strong>parameterEncoding</strong> - Name of the parameter encoding
 to be used with the CGI servlet. Default is
 <code>System.getProperty("file.encoding","UTF-8")</code>. That is the system
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index c880f175852..ded17e112b8 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -146,6 +146,13 @@
         <code>StandardRoot</code> instance now invalidate the cache if caching
         is enabled. (markt)
       </fix>
+      <add>
+        Add a new initialisation parameter, <code>envHttpHeaders</code>, to
+        the CGI Servlet to mitigate <a href="https://httpoxy.org">httpoxy</a>
+        (<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5388"
+        >CVE-2016-5388</a>) by default and to provide a mechanism that can be
+        used to mitigate any future, similar issues. (markt)
+      </add>
     </changelog>
   </subsection>
   <subsection name="Coyote">