From f73b3a96cbcde777125192e1cd1c205c3ea78172 Mon Sep 17 00:00:00 2001 From: Roland Haeder Date: Tue, 19 Jul 2016 15:16:28 +0200 Subject: [PATCH] prevent evil "Proxy" header being sent, see https://httpoxy.org for details --- inc/http-functions.php | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/inc/http-functions.php b/inc/http-functions.php index cf921efc6b..acc3c6d5e6 100644 --- a/inc/http-functions.php +++ b/inc/http-functions.php @@ -688,6 +688,12 @@ function extractHostnameFromUrl (&$script) { // Adds a HTTP header to array function addHttpHeader ($header) { + // Is 'Proxy' set? + if (substr(trim(strtolower($header)), 0, 6) == 'proxy:') { + // Don't allow this header being sent + reportBug(__FUNCTION__, __LINE__, 'Security-relevant HTTP header "Proxy" detected. Please do not set this. See https://httpoxy.org/ for details.'); + } // END - if + // Send the header //* DEBUG: */ logDebugMessage(__FUNCTION__, __LINE__, ': header=' . $header); array_push($GLOBALS['http_header'], trim($header)); -- 2.39.5