go to bug id or search bugs for
RFC 3875 (CGI) puts any HTTP 'Proxy' header present in a request into the environment as HTTP_PROXY. HTTP_PROXY (or http_proxy) has also become a popular environment variable used to configure an outgoing proxy.
The collision between the two leads to a security vulnerability in applications that trust getenv('HTTP_PROXY') as if it were a "real" unix environment variable.
Originally reported via email to firstname.lastname@example.org on June 30.
Add a Patch
Add a Pull Request
Mitigation patch is in https://gist.github.com/smalyshev/ba40554d812723e0397dd0cfef57932d and in security repo as 98b9dfaec95e6f910f125ed172cdbd25abd006ec
BTW, I see in Guzzle they use http_proxy. I'm not sure whether it's case sensitive but I suspect that it is. I don't know any implementation that would define HTTP meta-vars in lowercase.
In the first link it's uppercase but in the second it's lowercase...
> I'm not sure whether it's case sensitive but I suspect that it is.
AFAIK, getenv is case insensitive on Windows. ($_SERVER is another story though, because once the keys are in the actual array they're case sensitive again.) So, it's a mixed bag.
I definitely think we should recommend that people go with the libwww-perl/Ruby mitigation (CGI_HTTP_PROXY), and not the wget/curl "mitigation" of using lowercase http_proxy (which has lead to them still being vulnerable in e.g. a batch script on Windows running under CGI)
> I don't know any implementation that would define HTTP meta-vars in lowercase.
You're right that all the CGI implementations define it in uppercase. The problem is that there are environments that don't support case sensitive environment variables at all.
Public disclosure date has passed. Probably doesn't need to be marked private any more.
The fix for this bug has been committed.
Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.
There is a reference that this bug is tied to unix systems. Is this a security issue for windows systems?
If they use CGI/FCGI, yes. Any system that has environment variables as a concept would be vulnerable, probably.