Mailing List Archive

Blacklisting HTTP_PROXY variable for CGIs?
Hi,

there are several programs that honor the HTTP_PROXY environment
variable in upper case. This is of course problematic if such programs
are called inside CGIs because the variable can be set by an attacker
via the Proxy: header.

It goes without question that all these programs need to be fixed. But
I think it would still be a good idea if httpd would not export the
HTTP_PROXY variable to CGIs and other subprocesses (mod_include, etc.)
by default. The easiest way to achieve this would be to modify the
ap_add_common_vars() function. Probably there should be a config knob
to revert to the old behavior. For now, a flag would beenough, but
this could later be extended to allow to specify a list of variables.

Another place where HTTP_PROXY should be blacklisted is probably the
suexec helper. This would of course not be configurable.

What do you think? If you agree, how should the config directive be
called? BlacklistEnv (on/off for now but maybe a list of vars in the
future)?

Cheers,
Stefan
Re: Blacklisting HTTP_PROXY variable for CGIs? [ In reply to ]
Hi

On Sun, Feb 1, 2015 at 9:04 AM, Stefan Fritsch <sf@sfritsch.de> wrote:
> What do you think?

+1

> If you agree, how should the config directive be
> called? BlacklistEnv (on/off for now but maybe a list of vars in the
> future)?

Maybe a regexp?
That would also allow whitelisting with something like "^(?!whitelist)$".

Regards,
Yann.
Re: Blacklisting HTTP_PROXY variable for CGIs? [ In reply to ]
On Sun, 2015-02-01 at 09:04 +0100, Stefan Fritsch wrote:

> I think it would still be a good idea if httpd would not export the
> HTTP_PROXY variable to CGIs and other subprocesses (mod_include, etc.)

Simple workaround:

Untaint Header:Proxy s/.+//

--
Nick Kew
Re: Blacklisting HTTP_PROXY variable for CGIs? [ In reply to ]
On Thu, Feb 5, 2015 at 3:33 PM, Yann Ylavic <ylavic.dev@gmail.com> wrote:
> That would also allow whitelisting with something like "^(?!whitelist)$".
Without the trailing $ :)