[packages/apache.git] / apache-CVE-2016-5387.patch

diff --git a/server/util_script.c b/server/util_script.c
index 5e071a2..443dfb6 100644
--- a/server/util_script.c
+++ b/server/util_script.c
@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r)
         else if (!ap_cstr_casecmp(hdrs[i].key, "Content-length")) {
             apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
         }
+        /* HTTP_PROXY collides with a popular envvar used to configure
+         * proxies, don't let clients set/override it.  But, if you must...
+         */
+#ifndef SECURITY_HOLE_PASS_PROXY
+        else if (!ap_cstr_casecmp(hdrs[i].key, "Proxy")) {
+            ;
+        }
+#endif
         /*
          * You really don't want to disable this check, since it leaves you
          * wide open to CGIs stealing passwords and people viewing them
Commit	Line	Data
4b310d24 AM	1	diff --git a/server/util_script.c b/server/util_script.c
	2	index 5e071a2..443dfb6 100644
	3	--- a/server/util_script.c
	4	+++ b/server/util_script.c
	5	@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r)
	6	else if (!ap_cstr_casecmp(hdrs[i].key, "Content-length")) {
	7	apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
	8	}
	9	+ /* HTTP_PROXY collides with a popular envvar used to configure
	10	+ * proxies, don't let clients set/override it. But, if you must...
	11	+ */
	12	+#ifndef SECURITY_HOLE_PASS_PROXY
	13	+ else if (!ap_cstr_casecmp(hdrs[i].key, "Proxy")) {
	14	+ ;
	15	+ }
	16	+#endif
	17	/*
	18	* You really don't want to disable this check, since it leaves you
	19	* wide open to CGIs stealing passwords and people viewing them