Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[fastcgi] environment variable overwrites HTTP_* #996

Merged
merged 2 commits into from
Jul 20, 2016
Merged

[fastcgi] environment variable overwrites HTTP_* #996

merged 2 commits into from
Jul 20, 2016

Conversation

kazuho
Copy link
Member

@kazuho kazuho commented Jul 19, 2016

In current implementation, environment variables set using setenv configuration directive does not overwrite the received HTTP request headers. The bug makes us impossible to use the directive to block attacks trying to exploit httpoxy vulnerability.

This PR is a quick fix for the issue so that we can use the directive to prevent the attack.

Note that there are other issues in how we build FastCGI request parameters:

  • even with this fixed, setenv cannot cannot rewrite specially-treated headers like HTTP_HOST
  • unsetenv cannot be used for resetting HTTP_*, etc.
  • if a request header with a same name appears more than once, only the last value is transmitted to the application; we must repeated headers are not comma-concatenated

So we might fix all these issues at once, depending on how long it would take.

relates to #994

@kazuho kazuho force-pushed the kazuho/setenv-to-override-http-headers branch from 5681f5a to fd2d45c Compare July 20, 2016 09:25
@kazuho kazuho merged commit 0cda25b into master Jul 20, 2016
@kazuho kazuho mentioned this pull request Jul 20, 2016
Open
@utrenkner
Copy link
Contributor

@kazuho Do you intend to release a new 2.0.x version including this patch (or else 2.1)? Or do we have to upgrade to current in order to get protection against httpoxy?

kazuho added a commit that referenced this pull request Jul 29, 2016
@kazuho
Merge pull request #996 from h2o/kazuho/setenv-to-override-http-headers
d488291 
[fastcgi] environment variable overwrites `HTTP_*`
@kazuho
Copy link
Member Author

kazuho commented Aug 2, 2016

@utrenkner Sorry for the delay. Just released 2.0.2.

@utrenkner
Copy link
Contributor

@kazuho Thank you. I updated our server and issued a pull request to httpoxy.org to include the h2o related mitigation httpoxy/httpoxy-org#20

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kazuho @utrenkner