Skip to content

Commit

Permalink
we don't use the HTTP_PROXY environment variable in uppercase anymore…
Browse files Browse the repository at this point in the history
…, since

it might become a security problem (Bugs item #415391)
  • Loading branch information
bagder committed Apr 11, 2001
1 parent d7b54eb commit 18f044f
Showing 1 changed file with 13 additions and 1 deletion.
14 changes: 13 additions & 1 deletion lib/url.c
Original file line number Diff line number Diff line change
Expand Up @@ -1579,7 +1579,19 @@ static CURLcode Connect(struct UrlData *data,
/* read the protocol proxy: */
prox=curl_getenv(proxy_env);

if(!prox) {
/*
* We don't try the uppercase version of HTTP_PROXY because of
* security reasons:
*
* When curl is used in a webserver application
* environment (cgi or php), this environment variable can
* be controlled by the web server user by setting the
* http header 'Proxy:' to some value.
*
* This can cause 'internal' http/ftp requests to be
* arbitrarily redirected by any external attacker.
*/
if(!prox && !strequal("http_proxy", proxy_env)) {
/* There was no lowercase variable, try the uppercase version: */
for(envp = proxy_env; *envp; envp++)
*envp = toupper(*envp);
Expand Down

0 comments on commit 18f044f

Please sign in to comment.