Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[fastcgi] environment variable overwrites HTTP_* #996

merged 2 commits into from Jul 20, 2016


Copy link

@kazuho kazuho commented Jul 19, 2016

In current implementation, environment variables set using setenv configuration directive does not overwrite the received HTTP request headers. The bug makes us impossible to use the directive to block attacks trying to exploit httpoxy vulnerability.

This PR is a quick fix for the issue so that we can use the directive to prevent the attack.

Note that there are other issues in how we build FastCGI request parameters:

  • even with this fixed, setenv cannot cannot rewrite specially-treated headers like HTTP_HOST
  • unsetenv cannot be used for resetting HTTP_*, etc.
  • if a request header with a same name appears more than once, only the last value is transmitted to the application; we must repeated headers are not comma-concatenated

So we might fix all these issues at once, depending on how long it would take.

relates to #994

@kazuho kazuho force-pushed the kazuho/setenv-to-override-http-headers branch from 5681f5a to fd2d45c Compare July 20, 2016 09:25
@kazuho kazuho merged commit 0cda25b into master Jul 20, 2016
Copy link

@kazuho Do you intend to release a new 2.0.x version including this patch (or else 2.1)? Or do we have to upgrade to current in order to get protection against httpoxy?

kazuho added a commit that referenced this pull request Jul 29, 2016
[fastcgi] environment variable overwrites `HTTP_*`
Copy link
Member Author

kazuho commented Aug 2, 2016

@utrenkner Sorry for the delay. Just released 2.0.2.

Copy link

@kazuho Thank you. I updated our server and issued a pull request to to include the h2o related mitigation httpoxy/httpoxy-org#20

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet

Successfully merging this pull request may close these issues.

None yet

2 participants