diff options
Diffstat (limited to 'main/apache2/CVE-2016-5387.patch')
| -rw-r--r-- | main/apache2/CVE-2016-5387.patch | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/main/apache2/CVE-2016-5387.patch b/main/apache2/CVE-2016-5387.patch new file mode 100644 index 0000000000..494afef17c --- /dev/null +++ b/main/apache2/CVE-2016-5387.patch @@ -0,0 +1,17 @@ +--- a/server/util_script.c (revision 1752426) ++++ b/server/util_script.c (working copy) +@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r + else if (!strcasecmp(hdrs[i].key, "Content-length")) { + apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val); + } ++ /* HTTP_PROXY collides with a popular envvar used to configure ++ * proxies, don't let clients set/override it. But, if you must... ++ */ ++#ifndef SECURITY_HOLE_PASS_PROXY ++ else if (!strcasecmp(hdrs[i].key, "Proxy")) { ++ ; ++ } ++#endif + /* + * You really don't want to disable this check, since it leaves you + * wide open to CGIs stealing passwords and people viewing them |