Permalink
Browse files

Addressing HTTP_PROXY security vulnerability, CVE-2016-5385

  • Loading branch information...
mtdowling committed Jul 15, 2016
1 parent 10a49d5 commit 9d521b23146cb6cedd772770a2617fd6cbdb1596
Showing with 7 additions and 3 deletions.
  1. +7 −3 src/Client.php
View
@@ -163,9 +163,13 @@ private function configureDefaults(array $config)
'cookies' => false
];
// Use the standard Linux HTTP_PROXY and HTTPS_PROXY if set
if ($proxy = getenv('HTTP_PROXY')) {
$defaults['proxy']['http'] = $proxy;
// Use the standard Linux HTTP_PROXY and HTTPS_PROXY if set.
// We can only trust the HTTP_PROXY environment variable in a CLI
// process due to the fact that PHP has no reliable mechanism to
// get environment variables that start with "HTTP_".
if (php_sapi_name() == 'cli' && getenv('HTTP_PROXY')) {
$defaults['proxy']['http'] = getenv('HTTP_PROXY');

This comment has been minimized.

Show comment
Hide comment
@marcj

marcj Jul 18, 2016

what about http/application server that run in cli, like reactphp?

@marcj

marcj Jul 18, 2016

what about http/application server that run in cli, like reactphp?

This comment has been minimized.

Show comment
Hide comment
@mtdowling

mtdowling Jul 18, 2016

Member
@mtdowling

mtdowling via email Jul 18, 2016

Member

This comment has been minimized.

Show comment
Hide comment
@marcj

marcj Jul 18, 2016

Alright, thanks. So the actual security flaw here is the combination of PHP populating all http headers as HTTP_* env variables and that guzzle is accidentally using a variable that starts with HTTP_ which can be set through a regular request. Rule of thumb for all php applications should thus be: Never ever use HTTP_* environment variables (unless you can make sure the application is running only in cli).

@marcj

marcj Jul 18, 2016

Alright, thanks. So the actual security flaw here is the combination of PHP populating all http headers as HTTP_* env variables and that guzzle is accidentally using a variable that starts with HTTP_ which can be set through a regular request. Rule of thumb for all php applications should thus be: Never ever use HTTP_* environment variables (unless you can make sure the application is running only in cli).

}
if ($proxy = getenv('HTTPS_PROXY')) {

2 comments on commit 9d521b2

@ywarnier

This comment has been minimized.

Show comment
Hide comment
@ywarnier

ywarnier Aug 2, 2016

👍
I mentioned this patch to the httpoxy.org author so he can update the page (kind of letting you believe that all Guzzle > v4 are vulnerable). Maybe it's worth doing some polite follow-up.
https://medium.com/we-build-vend/what-is-httpoxy-65a33a8a1f4d

ywarnier replied Aug 2, 2016

👍
I mentioned this patch to the httpoxy.org author so he can update the page (kind of letting you believe that all Guzzle > v4 are vulnerable). Maybe it's worth doing some polite follow-up.
https://medium.com/we-build-vend/what-is-httpoxy-65a33a8a1f4d

@michealzh

This comment has been minimized.

Show comment
Hide comment
@michealzh

michealzh replied Sep 5, 2016

👍

Please sign in to comment.