From b60cf493c9e577a3678865f620b1eb61ab3d7ca9 Mon Sep 17 00:00:00 2001
From: Bob Weinand <bobwei9@hotmail.com>
Date: Mon, 18 Jul 2016 18:37:40 +0200
Subject: [PATCH] Fix CVE-2016-5385 "httpoxy"

# Conflicts:
#	CHANGELOG.md
---
 CHANGELOG.md           | 5 +++++
 lib/HttpSocketPool.php | 6 ++++++
 2 files changed, 11 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 21168dc..651b6c7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,8 @@
+v2.0.4
+------
+
+- Fix CVE-2016-5385 "httpoxy" vulnerability with environment variables
+
 v2.0.3
 ------
 
diff --git a/lib/HttpSocketPool.php b/lib/HttpSocketPool.php
index ac0f244..beaa30d 100644
--- a/lib/HttpSocketPool.php
+++ b/lib/HttpSocketPool.php
@@ -23,6 +23,12 @@ public function __construct(SocketPool $sockPool = null, HttpTunneler $tunneler
     }
 
     private function autoDetectProxySettings() {
+        // See CVE-2016-5385, due to (emulation of) header copying with PHP web SAPIs into HTTP_* variables, HTTP_PROXY can be set by an user to any value he wants by setting the Proxy header
+        // Mitigate the vulnerability by only allowing CLI SAPIs to use HTTP(S)_PROXY environment variable
+        if (PHP_SAPI != "cli" && PHP_SAPI != "phpdbg" && PHP_SAPI != "embed") {
+            return;
+        }
+        
         if (($httpProxy = getenv('http_proxy')) || ($httpProxy = getenv('HTTP_PROXY'))) {
             $this->options[self::OP_PROXY_HTTP] = $this->getUriAuthority($httpProxy);
         }