Mitigation patch is in https://gist.github.com/smalyshev/ba40554d812723e0397dd0cfef57932d and in security repo as 98b9dfaec95e6f910f125ed172cdbd25abd006ec

BTW, I see in Guzzle they use http_proxy. I'm not sure whether it's case sensitive but I suspect that it is. I don't know any implementation that would define HTTP meta-vars in lowercase.

In the first link it's uppercase but in the second it's lowercase...

> I'm not sure whether it's case sensitive but I suspect that it is. 

AFAIK, getenv is case insensitive on Windows. ($_SERVER is another story though, because once the keys are in the actual array they're case sensitive again.) So, it's a mixed bag.

I definitely think we should recommend that people go with the libwww-perl/Ruby mitigation (CGI_HTTP_PROXY), and not the wget/curl "mitigation" of using lowercase http_proxy (which has lead to them still being vulnerable in e.g. a batch script on Windows running under CGI)

> I don't know any implementation that would define HTTP meta-vars in lowercase.

You're right that all the CGI implementations define it in uppercase. The problem is that there are environments that don't support case sensitive environment variables at all.

Public disclosure date has passed. Probably doesn't need to be marked private any more.

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

There is a reference that this bug is tied to unix systems.  Is this a security issue for windows systems?

If they use CGI/FCGI, yes. Any system that has environment variables as a concept would be vulnerable, probably.