Skip to content

Commit

Permalink
Prevent CGI proxy hack
Browse files Browse the repository at this point in the history 
A new security advisory has been released. Abstract:

httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict:
- RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY
- HTTP_PROXY is a popular environment variable used to configure an outgoing proxy

This leads to a remotely exploitable vulnerability. If you’re running PHP or CGI, you should block the Proxy header now.

See https://httpoxy.org/#mitigate-varnish for the details.
  • Loading branch information
@carlalexander
carlalexander authored Jul 19, 2016
1 parent 476adbb commit 9614f76
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions default.vcl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,9 @@ sub vcl_recv {

# Normalize the header, remove the port (in case you're testing this on various TCP ports)
set req.http.Host = regsub(req.http.Host, ":[0-9]+", "");

# Remove the proxy header (see https://httpoxy.org/#mitigate-varnish)
unset req.http.proxy;

# Normalize the query arguments
set req.url = std.querysort(req.url);
Expand Down

0 comments on commit 9614f76

Please sign in to comment.