From 81254742812a5a9adf4b085f543f3f21daedcd97 Mon Sep 17 00:00:00 2001
From: Bob Weinand <bobwei9@hotmail.com>
Date: Mon, 18 Jul 2016 18:37:40 +0200
Subject: [PATCH] Fix CVE-2016-5385 "httpoxy"

---
 CHANGELOG.md           | 5 +++++
 lib/HttpSocketPool.php | 6 ++++++
 2 files changed, 11 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b6379b9..9545772 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,8 @@
+v1.0.4
+------
+
+- Fix CVE-2016-5385 "httpoxy" vulnerability with environment variables
+
 v1.0.3
 ------
 
diff --git a/lib/HttpSocketPool.php b/lib/HttpSocketPool.php
index fc6a5d9..bb87339 100644
--- a/lib/HttpSocketPool.php
+++ b/lib/HttpSocketPool.php
@@ -26,6 +26,12 @@ public function __construct(Reactor $reactor, SocketPool $sockPool = null, HttpT
     }
 
     private function autoDetectProxySettings() {
+        // See CVE-2016-5385, due to (emulation of) header copying with PHP web SAPIs into HTTP_* variables, HTTP_PROXY can be set by an user to any value he wants by setting the Proxy header
+        // Mitigate the vulnerability by only allowing CLI SAPIs to use HTTP(S)_PROXY environment variable
+        if (PHP_SAPI != "cli" && PHP_SAPI != "phpdbg" && PHP_SAPI != "embed") {
+            return;
+        }
+        
         if (($httpProxy = getenv('http_proxy')) || ($httpProxy = getenv('HTTP_PROXY'))) {
             $this->options[self::OP_PROXY_HTTP] = $this->getUriAuthority($httpProxy);
         }