Permalink
Browse files

we don't use the HTTP_PROXY environment variable in uppercase anymore…

…, since

it might become a security problem (Bugs item #415391)
  • Loading branch information...
1 parent d7b54eb commit 18f044f19d26f2b6dcd41796966f488a62a1bdca @bagder bagder committed Apr 11, 2001
Showing with 13 additions and 1 deletion.
  1. +13 −1 lib/url.c
View
@@ -1579,7 +1579,19 @@ static CURLcode Connect(struct UrlData *data,
/* read the protocol proxy: */
prox=curl_getenv(proxy_env);
- if(!prox) {
+ /*
+ * We don't try the uppercase version of HTTP_PROXY because of
+ * security reasons:
+ *
+ * When curl is used in a webserver application
+ * environment (cgi or php), this environment variable can
+ * be controlled by the web server user by setting the
+ * http header 'Proxy:' to some value.
+ *
+ * This can cause 'internal' http/ftp requests to be
+ * arbitrarily redirected by any external attacker.
+ */
+ if(!prox && !strequal("http_proxy", proxy_env)) {
/* There was no lowercase variable, try the uppercase version: */
for(envp = proxy_env; *envp; envp++)
*envp = toupper(*envp);

0 comments on commit 18f044f

Please sign in to comment.