From f73b3a96cbcde777125192e1cd1c205c3ea78172 Mon Sep 17 00:00:00 2001
From: Roland Haeder <roland@mxchange.org>
Date: Tue, 19 Jul 2016 15:16:28 +0200
Subject: [PATCH] prevent evil "Proxy" header being sent, see
 https://httpoxy.org for details

---
 inc/http-functions.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/inc/http-functions.php b/inc/http-functions.php
index cf921efc6b..acc3c6d5e6 100644
--- a/inc/http-functions.php
+++ b/inc/http-functions.php
@@ -688,6 +688,12 @@ function extractHostnameFromUrl (&$script) {
 
 // Adds a HTTP header to array
 function addHttpHeader ($header) {
+	// Is 'Proxy' set?
+	if (substr(trim(strtolower($header)), 0, 6) == 'proxy:') {
+		// Don't allow this header being sent
+		reportBug(__FUNCTION__, __LINE__, 'Security-relevant HTTP header "Proxy" detected. Please do not set this. See https://httpoxy.org/ for details.');
+	} // END - if
+
 	// Send the header
 	//* DEBUG: */ logDebugMessage(__FUNCTION__, __LINE__, ': header=' . $header);
 	array_push($GLOBALS['http_header'], trim($header));
-- 
2.30.2