Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[fastcgi] environment variable overwrites `HTTP_*` #996

Merged
merged 2 commits into from Jul 20, 2016

Conversation

@kazuho
Copy link
Member

@kazuho kazuho commented Jul 19, 2016

In current implementation, environment variables set using setenv configuration directive does not overwrite the received HTTP request headers. The bug makes us impossible to use the directive to block attacks trying to exploit httpoxy vulnerability.

This PR is a quick fix for the issue so that we can use the directive to prevent the attack.

Note that there are other issues in how we build FastCGI request parameters:

  • even with this fixed, setenv cannot cannot rewrite specially-treated headers like HTTP_HOST
  • unsetenv cannot be used for resetting HTTP_*, etc.
  • if a request header with a same name appears more than once, only the last value is transmitted to the application; we must repeated headers are not comma-concatenated

So we might fix all these issues at once, depending on how long it would take.

relates to #994

@kazuho kazuho force-pushed the kazuho/setenv-to-override-http-headers branch to fd2d45c Jul 20, 2016
@kazuho kazuho merged commit 0cda25b into master Jul 20, 2016
2 checks passed
2 checks passed
continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details
@utrenkner
Copy link
Contributor

@utrenkner utrenkner commented Jul 25, 2016

@kazuho Do you intend to release a new 2.0.x version including this patch (or else 2.1)? Or do we have to upgrade to current in order to get protection against httpoxy?

kazuho added a commit that referenced this pull request Jul 29, 2016
[fastcgi] environment variable overwrites `HTTP_*`
@kazuho
Copy link
Member Author

@kazuho kazuho commented Aug 2, 2016

@utrenkner Sorry for the delay. Just released 2.0.2.

@utrenkner
Copy link
Contributor

@utrenkner utrenkner commented Aug 2, 2016

@kazuho Thank you. I updated our server and issued a pull request to httpoxy.org to include the h2o related mitigation httpoxy/httpoxy-org#20

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants
You can’t perform that action at this time.