prevent evil "Proxy" header being sent, see https://httpoxy.org for details

author Roland Haeder <roland@mxchange.org>

Tue, 19 Jul 2016 13:16:28 +0000 (15:16 +0200)

committer Roland Haeder <roland@mxchange.org>

Tue, 19 Jul 2016 13:16:28 +0000 (15:16 +0200)
author Roland Haeder <roland@mxchange.org>
Tue, 19 Jul 2016 13:16:28 +0000 (15:16 +0200)
committer Roland Haeder <roland@mxchange.org>
Tue, 19 Jul 2016 13:16:28 +0000 (15:16 +0200)
diff --git a/inc/http-functions.php b/inc/http-functions.php

index cf921efc6be61c48db7bc0a973f77bb822519e9d..acc3c6d5e6b8eddc737a6c151a913d0c14fd36f1 100644 (file)
--- a/inc/http-functions.php
+++ b/inc/http-functions.php
@@ -688,6 +688,12 @@ function extractHostnameFromUrl (&$script) {
  
  // Adds a HTTP header to array
  function addHttpHeader ($header) {
+       // Is 'Proxy' set?
+       if (substr(trim(strtolower($header)), 0, 6) == 'proxy:') {
+               // Don't allow this header being sent
+               reportBug(__FUNCTION__, __LINE__, 'Security-relevant HTTP header "Proxy" detected. Please do not set this. See https://httpoxy.org/ for details.');
+       } // END - if
+
         // Send the header
         //* DEBUG: */ logDebugMessage(__FUNCTION__, __LINE__, ': header=' . $header);
         array_push($GLOBALS['http_header'], trim($header));
author	Roland Haeder <roland@mxchange.org>
	Tue, 19 Jul 2016 13:16:28 +0000 (15:16 +0200)
committer	Roland Haeder <roland@mxchange.org>
	Tue, 19 Jul 2016 13:16:28 +0000 (15:16 +0200)