apache-CVE-2016-5387.patch

   1 diff --git a/server/util_script.c b/server/util_script.c
   2 index 5e071a2..443dfb6 100644
   3 --- a/server/util_script.c
   4 +++ b/server/util_script.c
   5 @@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r)
   6          else if (!ap_cstr_casecmp(hdrs[i].key, "Content-length")) {
   7              apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
   8          }
   9 +        /* HTTP_PROXY collides with a popular envvar used to configure
  10 +         * proxies, don't let clients set/override it.  But, if you must...
  11 +         */
  12 +#ifndef SECURITY_HOLE_PASS_PROXY
  13 +        else if (!ap_cstr_casecmp(hdrs[i].key, "Proxy")) {
  14 +            ;
  15 +        }
  16 +#endif
  17          /*
  18           * You really don't want to disable this check, since it leaves you
  19           * wide open to CGIs stealing passwords and people viewing them