[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#62678] [PATCH] services: nginx: Harden php-location settings.
|
From: |
Bruno Victal |
|
Subject: |
[bug#62678] [PATCH] services: nginx: Harden php-location settings. |
|
Date: |
Thu, 6 Apr 2023 14:11:43 +0100 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.9.1 |
Hi Jonathan,
On 2023-04-05 21:19, Jonathan Brielmaier wrote:
> I wonder if we should at least make the HTTP_PROXY variable
> configurable. It may need to be set to something else then "" in some
> scenarios. I don't know...
No, there's no legitimate reason for this, since 'PROXY' is not
a standard HTTP header according to [1]. PROXY being passed to a cgi application
as HTTP_PROXY is what the exploit is about, since HTTP_PROXY is recognized as
a variable for configuring proxies (for curl, wget, etc.)
Allowing HTTP_PROXY to be set remotely (due to a confusion with the
non-standard 'PROXY' header)
is simply incomprehensible.
Regarding user intent, that is, configuring the proxy used by the cgi
application by
setting HTTP_PROXY via nginx?
I don't have this use-case but IMO it feels like an extreme poor design, since
it's
exploiting a name confusion to change the system environment variables for the
cgi application.
If for some reason you really need this, you can always use the regular
nginx-location-configuration to manually craft a php-location.
[1]: https://www.iana.org/assignments/http-fields/http-fields.xhtml
Cheers,
Bruno