Permalink
Browse files

SA-CORE-2016-003 by alexpott, Michael Dowling, mlhess, xjm, Pere Orga…

…, dawehner, greggles, coltrane, pwolanin, larowlan
  • Loading branch information...
xjm committed Jul 18, 2016
1 parent 2fb3a05 commit 17ff00c6c4a774c5164991f0f179c95ce886793c
Showing with 41 additions and 27 deletions.
  1. +3 −1 .htaccess
  2. +22 −22 composer.lock
  3. +1 −1 core/composer.json
  4. +7 −0 core/lib/Drupal/Core/Http/ClientFactory.php
  5. +0 −3 sites/default/default.settings.php
  6. +8 −0 web.config
View
@@ -180,8 +180,10 @@ AddEncoding gzip svgz
</IfModule>
</IfModule>
# Add headers to all responses.
# Various header fixes.
<IfModule mod_headers.c>
# Disable content sniffing, since it's an attack vector.
Header always set X-Content-Type-Options nosniff
# Disable Proxy header, since it's an attack vector.
RequestHeader unset Proxy
</IfModule>
View

Some generated files are not rendered by default. Learn more.

Oops, something went wrong.
View
@@ -21,7 +21,7 @@
"twig/twig": "^1.23.1",
"doctrine/common": "2.5.*",
"doctrine/annotations": "1.2.*",
"guzzlehttp/guzzle": "~6.1",
"guzzlehttp/guzzle": "~6.2",
"symfony-cmf/routing": "~1.4",
"easyrdf/easyrdf": "0.9.*",
"zendframework/zend-feed": "~2.4",
@@ -52,6 +52,13 @@ public function fromOptions(array $config = []) {
'User-Agent' => 'Drupal/' . \Drupal::VERSION . ' (+https://www.drupal.org/) ' . \GuzzleHttp\default_user_agent(),
],
'handler' => $this->stack,
// Security consideration: prevent Guzzle from using environment variables
// to configure the outbound proxy.
'proxy' => [
'http' => NULL,
'https' => NULL,
'no' => [],
]
];
$config = NestedArray::mergeDeep($default_config, Settings::get('http_client_config', []), $config);
@@ -325,9 +325,6 @@
*
* You can also define an array of host names that can be accessed directly,
* bypassing the proxy, in $settings['http_client_config']['proxy']['no'].
*
* If these settings are not configured, the system environment variables
* HTTP_PROXY, HTTPS_PROXY, and NO_PROXY on the web server will be used instead.
*/
# $settings['http_client_config']['proxy']['http'] = 'http://proxy_user:proxy_pass@example.com:8080';
# $settings['http_client_config']['proxy']['https'] = 'http://proxy_user:proxy_pass@example.com:8080';
View
@@ -34,6 +34,14 @@
</conditions>
</rule>
<rule name="Erase HTTP_PROXY" patternSyntax="Wildcard">
<match url="*.*" />
<serverVariables>
<set name="HTTP_PROXY" value="" />
</serverVariables>
<action type="None" />
</rule>
<!-- To redirect all users to access the site WITH the 'www.' prefix,
http://example.com/foo will be redirected to http://www.example.com/foo)
adapt and uncomment the following: -->

0 comments on commit 17ff00c

Please sign in to comment.