Security flaw http://httpoxy.org/ fixed

A security flaw with HTTP_PROXY fixed. When we now construct the cgi env variables, we just skip the Proxy header. Reported by dominic@varspool.com
erlyaws · Jul 25, 2016 · 9d8fb07 · 9d8fb07
1 parent 80813f9
commit 9d8fb07
Showing 1 changed file with 12 additions and 2 deletions.
diff --git a/src/yaws_cgi.erl b/src/yaws_cgi.erl
@@ -368,11 +368,21 @@ build_env(Arg, Scriptfilename, Pathinfo, ExtraEnv, SC) ->
             {"HTTP_IF_NONE_MATCH", H#headers.if_none_match},
             {"HTTP_IF_UNMODIFIED_SINCE", H#headers.if_unmodified_since},
             {"HTTP_COOKIE", flatten_val(make_cookie_val(H#headers.cookie))}
-           ]++lists:map(fun({http_header,_,Var,_,Val})->{tohttp(Var),Val} end,
-                        H#headers.other)
+           ]++ other_headers(H#headers.other)
           )) ++
         Extra_CGI_Vars.
 
+other_headers(Headers) ->
+    lists:zf(fun({http_header,_,Var,_,Val}) ->
+                     case tohttp(Var) of
+                         "HTTP_PROXY" ->
+                             %% See http://httpoxy.org/
+                             false;
+                         HTTP ->
+                             {true, {HTTP,Val}}
+                     end
+             end, Headers).
+
 tohttp(X) ->
     "HTTP_"++lists:map(fun tohttp_c/1, yaws:to_list(X)).