New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[fastcgi] environment variable overwrites `HTTP_*` #996

Merged
merged 2 commits into from Jul 20, 2016

Conversation

Projects
None yet
2 participants
@kazuho
Member

kazuho commented Jul 19, 2016

In current implementation, environment variables set using setenv configuration directive does not overwrite the received HTTP request headers. The bug makes us impossible to use the directive to block attacks trying to exploit httpoxy vulnerability.

This PR is a quick fix for the issue so that we can use the directive to prevent the attack.

Note that there are other issues in how we build FastCGI request parameters:

  • even with this fixed, setenv cannot cannot rewrite specially-treated headers like HTTP_HOST
  • unsetenv cannot be used for resetting HTTP_*, etc.
  • if a request header with a same name appears more than once, only the last value is transmitted to the application; we must repeated headers are not comma-concatenated

So we might fix all these issues at once, depending on how long it would take.

relates to #994

@kazuho kazuho merged commit 0cda25b into master Jul 20, 2016

2 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details
@utrenkner

This comment has been minimized.

Show comment
Hide comment
@utrenkner

utrenkner Jul 25, 2016

@kazuho Do you intend to release a new 2.0.x version including this patch (or else 2.1)? Or do we have to upgrade to current in order to get protection against httpoxy?

utrenkner commented Jul 25, 2016

@kazuho Do you intend to release a new 2.0.x version including this patch (or else 2.1)? Or do we have to upgrade to current in order to get protection against httpoxy?

kazuho added a commit that referenced this pull request Jul 29, 2016

Merge pull request #996 from h2o/kazuho/setenv-to-override-http-headers
[fastcgi] environment variable overwrites `HTTP_*`
@kazuho

This comment has been minimized.

Show comment
Hide comment
@kazuho

kazuho Aug 2, 2016

Member

@utrenkner Sorry for the delay. Just released 2.0.2.

Member

kazuho commented Aug 2, 2016

@utrenkner Sorry for the delay. Just released 2.0.2.

@utrenkner

This comment has been minimized.

Show comment
Hide comment
@utrenkner

utrenkner Aug 2, 2016

@kazuho Thank you. I updated our server and issued a pull request to httpoxy.org to include the h2o related mitigation httpoxy/httpoxy-org#20

utrenkner commented Aug 2, 2016

@kazuho Thank you. I updated our server and issued a pull request to httpoxy.org to include the h2o related mitigation httpoxy/httpoxy-org#20

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment