Last change
on this file since 2834 was
2774,
checked in by andersk, 8 years ago
|
Apply the 2015 suexec patch for CVE-2016-5387 “httpoxy”.
Also remove our inexplicable whitelist entry for HTTPS_* environment
variables.
|
File size:
1.3 KB
|
Rev | Line | |
---|
[2774] | 1 | ------------------------------------------------------------------------ |
---|
| 2 | r1659711 | sf | 2015-02-13 18:24:10 -0500 (Fri, 13 Feb 2015) | 4 lines |
---|
| 3 | |
---|
| 4 | suexec: Filter out HTTP_PROXY |
---|
| 5 | |
---|
| 6 | Some programs look there for the http proxy server. |
---|
| 7 | |
---|
| 8 | |
---|
| 9 | Index: support/suexec.c |
---|
| 10 | =================================================================== |
---|
| 11 | --- support/suexec.c (revision 1659710) |
---|
| 12 | +++ support/suexec.c (revision 1659711) |
---|
| 13 | @@ -91,8 +91,8 @@ |
---|
| 14 | static const char *const safe_env_lst[] = |
---|
| 15 | { |
---|
| 16 | /* variable name starts with */ |
---|
| 17 | - "HTTP_", |
---|
| 18 | "SSL_", |
---|
| 19 | + /* "HTTP_" is handled specially in clean_env() */ |
---|
| 20 | |
---|
| 21 | /* variable name is */ |
---|
| 22 | "AUTH_TYPE=", |
---|
| 23 | @@ -253,6 +253,20 @@ |
---|
| 24 | cidx++; |
---|
| 25 | |
---|
| 26 | for (ep = envp; *ep && cidx < AP_ENVBUF-1; ep++) { |
---|
| 27 | + if (strncmp(*ep, "HTTP_", 5) == 0) { |
---|
| 28 | + if (strncmp(*ep + 5, "PROXY=", 6) == 0) { |
---|
| 29 | + /* |
---|
| 30 | + * HTTP_PROXY is treated as alias for http_proxy by some |
---|
| 31 | + * programs. |
---|
| 32 | + */ |
---|
| 33 | + } |
---|
| 34 | + else { |
---|
| 35 | + /* Other HTTP_* are safe */ |
---|
| 36 | + cleanenv[cidx] = *ep; |
---|
| 37 | + cidx++; |
---|
| 38 | + } |
---|
| 39 | + continue; |
---|
| 40 | + } |
---|
| 41 | for (idx = 0; safe_env_lst[idx]; idx++) { |
---|
| 42 | if (!strncmp(*ep, safe_env_lst[idx], |
---|
| 43 | strlen(safe_env_lst[idx]))) { |
---|
| 44 | |
---|
| 45 | ------------------------------------------------------------------------ |
---|
Note: See
TracBrowser
for help on using the repository browser.