HTTP_PROXY is improperly trusted by some PHP libraries and applications

Sec Bug #72573 HTTP_PROXY is improperly trusted by some PHP libraries and applications
Submitted: 2016-07-11 00:27 UTC Modified: 2016-07-29 02:49 UTC
From: dominic at vendhq dot com Assigned: stas (profile)
Status: Closed Package: CGI/CLI related
PHP Version: 7.0.9RC1 OS: any
Private report: No CVE-ID: 2016-5385

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2016-07-11 00:56 UTC] stas@php.net

-Assigned To: +Assigned To: stas

 [2016-07-11 01:03 UTC] stas@php.net

BTW, I see in Guzzle they use http_proxy. I'm not sure whether it's case sensitive but I suspect that it is. I don't know any implementation that would define HTTP meta-vars in lowercase.

 [2016-07-11 01:04 UTC] stas@php.net

In the first link it's uppercase but in the second it's lowercase...

 [2016-07-11 01:11 UTC] dominic at vendhq dot com

> I'm not sure whether it's case sensitive but I suspect that it is. 

AFAIK, getenv is case insensitive on Windows. ($_SERVER is another story though, because once the keys are in the actual array they're case sensitive again.) So, it's a mixed bag.

I definitely think we should recommend that people go with the libwww-perl/Ruby mitigation (CGI_HTTP_PROXY), and not the wget/curl "mitigation" of using lowercase http_proxy (which has lead to them still being vulnerable in e.g. a batch script on Windows running under CGI)

> I don't know any implementation that would define HTTP meta-vars in lowercase.

You're right that all the CGI implementations define it in uppercase. The problem is that there are environments that don't support case sensitive environment variables at all.

 [2016-07-12 08:05 UTC] remi@php.net

-CVE-ID: +CVE-ID: 2016-5385

 [2016-07-18 17:56 UTC] dominic at vendhq dot com

Public disclosure date has passed. Probably doesn't need to be marked private any more.

 [2016-07-19 07:54 UTC] stas@php.net

-Status: Assigned +Status: Closed

 [2016-07-19 07:54 UTC] stas@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2016-07-29 02:00 UTC] mtjmchugh at gmail dot com

There is a reference that this bug is tied to unix systems.  Is this a security issue for windows systems?

 [2016-07-29 02:49 UTC] stas@php.net

If they use CGI/FCGI, yes. Any system that has environment variables as a concept would be vulnerable, probably.