@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.)
hq.recaptime.dev/wiki/Phorge
phorge
phabricator
Blanket reject request which may have been poisoned by a "Proxy" header to mitigate the httpoxy vulnerability
Summary:
See accompanying discussion in T11359.
As far as I can tell we aren't vulnerable, but subprocesses could be (now, or in the future). Reject any request which may have a `Proxy:` header.
This will also do a false-positive reject if `HTTP_PROXY` is defined in the environment, but this is likely a misconfiguration (cURL does not read it). I'll provide guidance on this.
Test Plan:
- Made requests using `curl -H Proxy:...`, got rejected.
- Made normal requests, got normal pages.
Reviewers: chad, avivey
Reviewed By: avivey
Differential Revision: https://secure.phabricator.com/D16318
+8
-1
+8
-1
support/PhabricatorStartup.php
+8
-1
support/PhabricatorStartup.php
···
374
374
$http_error = 500);
375
375
376
376
error_log($log_message);
377
-
echo $message;
377
+
echo $message."\n";
378
378
379
379
exit(1);
380
380
}
···
528
528
"cause Phabricator to fatal unrecoverably with nonsense errors). ".
529
529
"Downgrade to version 3.1.13.");
530
530
}
531
+
}
532
+
533
+
if (isset($_SERVER['HTTP_PROXY'])) {
534
+
self::didFatal(
535
+
'This HTTP request included a "Proxy:" header, poisoning the '.
536
+
'environment (CVE-2016-5385 / httpoxy). Declining to process this '.
537
+
'request. For details, see: https://phurl.io/u/httpoxy');
531
538
}
532
539
}
533
540