Fix CVE-2016-5385 "httpoxy"

amphp · Jul 18, 2016 · 8125474 · 8125474
1 parent aa76ae3
commit 8125474
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,8 @@
+v1.0.4
+------
+
+- Fix CVE-2016-5385 "httpoxy" vulnerability with environment variables
+
 v1.0.3
 ------
 

diff --git a/lib/HttpSocketPool.php b/lib/HttpSocketPool.php
@@ -26,6 +26,12 @@ public function __construct(Reactor $reactor, SocketPool $sockPool = null, HttpT
     }
 
     private function autoDetectProxySettings() {
+        // See CVE-2016-5385, due to (emulation of) header copying with PHP web SAPIs into HTTP_* variables, HTTP_PROXY can be set by an user to any value he wants by setting the Proxy header
+        // Mitigate the vulnerability by only allowing CLI SAPIs to use HTTP(S)_PROXY environment variable
+        if (PHP_SAPI != "cli" && PHP_SAPI != "phpdbg" && PHP_SAPI != "embed") {
+            return;
+        }
+
         if (($httpProxy = getenv('http_proxy')) || ($httpProxy = getenv('HTTP_PROXY'))) {
             $this->options[self::OP_PROXY_HTTP] = $this->getUriAuthority($httpProxy);
         }