[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#62678] [PATCH] services: nginx: Harden php-location settings.

From: Bruno Victal
Subject: [bug#62678] [PATCH] services: nginx: Harden php-location settings.
Date: Thu, 6 Apr 2023 14:11:43 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.9.1

Hi Jonathan,

On 2023-04-05 21:19, Jonathan Brielmaier wrote:
> I wonder if we should at least make the HTTP_PROXY variable
> configurable. It may need to be set to something else then "" in some
> scenarios. I don't know...

No, there's no legitimate reason for this, since 'PROXY' is not
a standard HTTP header according to [1]. PROXY being passed to a cgi application
as HTTP_PROXY is what the exploit is about, since HTTP_PROXY is recognized as
a variable for configuring proxies (for curl, wget, etc.)
Allowing HTTP_PROXY to be set remotely (due to a confusion with the 
non-standard 'PROXY' header)
is simply incomprehensible.

Regarding user intent, that is, configuring the proxy used by the cgi 
application by
setting HTTP_PROXY via nginx?
I don't have this use-case but IMO it feels like an extreme poor design, since 
exploiting a name confusion to change the system environment variables for the
cgi application.

If for some reason you really need this, you can always use the regular
nginx-location-configuration to manually craft a php-location.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]