Skip to content

Commit

Permalink
Fix CVE-2016-5385 "httpoxy"
Browse files Browse the repository at this point in the history
# Conflicts:
#	CHANGELOG.md
  • Loading branch information
bwoebi committed Jul 18, 2016
1 parent 3e3eeda commit b60cf49
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 0 deletions.
5 changes: 5 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
v2.0.4
------

- Fix CVE-2016-5385 "httpoxy" vulnerability with environment variables

v2.0.3
------

Expand Down
6 changes: 6 additions & 0 deletions lib/HttpSocketPool.php
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,12 @@ public function __construct(SocketPool $sockPool = null, HttpTunneler $tunneler
}

private function autoDetectProxySettings() {
// See CVE-2016-5385, due to (emulation of) header copying with PHP web SAPIs into HTTP_* variables, HTTP_PROXY can be set by an user to any value he wants by setting the Proxy header
// Mitigate the vulnerability by only allowing CLI SAPIs to use HTTP(S)_PROXY environment variable
if (PHP_SAPI != "cli" && PHP_SAPI != "phpdbg" && PHP_SAPI != "embed") {
return;
}

if (($httpProxy = getenv('http_proxy')) || ($httpProxy = getenv('HTTP_PROXY'))) {
$this->options[self::OP_PROXY_HTTP] = $this->getUriAuthority($httpProxy);
}
Expand Down

0 comments on commit b60cf49

Please # to comment.