1 diff --git a/server/util_script.c b/server/util_script.c
2 index 5e071a2..443dfb6 100644
3 --- a/server/util_script.c
4 +++ b/server/util_script.c
5 @@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r)
6 else if (!ap_cstr_casecmp(hdrs[i].key, "Content-length")) {
7 apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
9 + /* HTTP_PROXY collides with a popular envvar used to configure
10 + * proxies, don't let clients set/override it. But, if you must...
12 +#ifndef SECURITY_HOLE_PASS_PROXY
13 + else if (!ap_cstr_casecmp(hdrs[i].key, "Proxy")) {
18 * You really don't want to disable this check, since it leaves you
19 * wide open to CGIs stealing passwords and people viewing them