Skip to content
Permalink
Browse files Browse the repository at this point in the history
CVE-2016-1000109: Ignore Proxy HTTP header from fastcgi requests
Summary:
The default PHP behavior is to transform a Proxy header from requests
into the HTTP_PROXY environment variable in the PHP environment running the
request. Some scripts may use this env var to decide which HTTP proxy to
connect to, and we don't want requests to have that kind of control over
scripts' behavior.

Reviewed By: alexmalyshev, Orvid

Differential Revision: D3579221

fbshipit-source-id: 18a405fd73aee65283aea99ff995f8082b3fc3b5
  • Loading branch information
swtaarrs authored and Hhvm Bot committed Jul 19, 2016
1 parent a47d75b commit 423b4b7
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions hphp/runtime/server/fastcgi/fastcgi-transport.cpp
Expand Up @@ -212,6 +212,10 @@ void FastCGITransport::onHeader(std::unique_ptr<folly::IOBuf> key_chain,
Cursor keyCur(key_chain.get());
auto key = keyCur.readFixedString(key_chain->computeChainDataLength());

// Don't allow requests to inject an HTTP_PROXY environment variable by
// sending a Proxy header.
if (strcasecmp(key.c_str(), "HTTP_PROXY") == 0) return;

Cursor valCur(value_chain.get());
auto value = valCur.readFixedString(value_chain->computeChainDataLength());

Expand Down

0 comments on commit 423b4b7

Please sign in to comment.