|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #72573 HTTP_PROXY is improperly trusted by some PHP libraries and applications
Submitted: 2016-07-11 00:27 UTC Modified: 2016-07-29 02:49 UTC
From: dominic at vendhq dot com Assigned: stas (profile)
Status: Closed Package: CGI/CLI related
PHP Version: 7.0.9RC1 OS: any
Private report: No CVE-ID: 2016-5385
 [2016-07-11 00:27 UTC] dominic at vendhq dot com
RFC 3875 (CGI) puts any HTTP 'Proxy' header present in a request into the environment as HTTP_PROXY. HTTP_PROXY (or http_proxy) has also become a popular environment variable used to configure an outgoing proxy.

The collision between the two leads to a security vulnerability in applications that trust getenv('HTTP_PROXY') as if it were a "real" unix environment variable.

Originally reported via email to on June 30.

Test script:


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2016-07-11 00:56 UTC]
-Assigned To: +Assigned To: stas
 [2016-07-11 00:59 UTC]
Mitigation patch is in and in security repo as 98b9dfaec95e6f910f125ed172cdbd25abd006ec
 [2016-07-11 01:03 UTC]
BTW, I see in Guzzle they use http_proxy. I'm not sure whether it's case sensitive but I suspect that it is. I don't know any implementation that would define HTTP meta-vars in lowercase.
 [2016-07-11 01:04 UTC]
In the first link it's uppercase but in the second it's lowercase...
 [2016-07-11 01:11 UTC] dominic at vendhq dot com
> I'm not sure whether it's case sensitive but I suspect that it is. 

AFAIK, getenv is case insensitive on Windows. ($_SERVER is another story though, because once the keys are in the actual array they're case sensitive again.) So, it's a mixed bag.

I definitely think we should recommend that people go with the libwww-perl/Ruby mitigation (CGI_HTTP_PROXY), and not the wget/curl "mitigation" of using lowercase http_proxy (which has lead to them still being vulnerable in e.g. a batch script on Windows running under CGI)

> I don't know any implementation that would define HTTP meta-vars in lowercase.

You're right that all the CGI implementations define it in uppercase. The problem is that there are environments that don't support case sensitive environment variables at all.
 [2016-07-12 08:05 UTC]
-CVE-ID: +CVE-ID: 2016-5385
 [2016-07-18 17:56 UTC] dominic at vendhq dot com
Public disclosure date has passed. Probably doesn't need to be marked private any more.
 [2016-07-19 07:54 UTC]
-Status: Assigned +Status: Closed
 [2016-07-19 07:54 UTC]
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at

 For Windows:
Thank you for the report, and for helping us make PHP better.

 [2016-07-29 02:00 UTC] mtjmchugh at gmail dot com
There is a reference that this bug is tied to unix systems.  Is this a security issue for windows systems?
 [2016-07-29 02:49 UTC]
If they use CGI/FCGI, yes. Any system that has environment variables as a concept would be vulnerable, probably.
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC