mirror of https://github.com/moparisthebest/curl
we don't use the HTTP_PROXY environment variable in uppercase anymore, since
it might become a security problem (Bugs item #415391)
This commit is contained in:
parent
d7b54eb835
commit
18f044f19d
14
lib/url.c
14
lib/url.c
|
@ -1579,7 +1579,19 @@ static CURLcode Connect(struct UrlData *data,
|
||||||
/* read the protocol proxy: */
|
/* read the protocol proxy: */
|
||||||
prox=curl_getenv(proxy_env);
|
prox=curl_getenv(proxy_env);
|
||||||
|
|
||||||
if(!prox) {
|
/*
|
||||||
|
* We don't try the uppercase version of HTTP_PROXY because of
|
||||||
|
* security reasons:
|
||||||
|
*
|
||||||
|
* When curl is used in a webserver application
|
||||||
|
* environment (cgi or php), this environment variable can
|
||||||
|
* be controlled by the web server user by setting the
|
||||||
|
* http header 'Proxy:' to some value.
|
||||||
|
*
|
||||||
|
* This can cause 'internal' http/ftp requests to be
|
||||||
|
* arbitrarily redirected by any external attacker.
|
||||||
|
*/
|
||||||
|
if(!prox && !strequal("http_proxy", proxy_env)) {
|
||||||
/* There was no lowercase variable, try the uppercase version: */
|
/* There was no lowercase variable, try the uppercase version: */
|
||||||
for(envp = proxy_env; *envp; envp++)
|
for(envp = proxy_env; *envp; envp++)
|
||||||
*envp = toupper(*envp);
|
*envp = toupper(*envp);
|
||||||
|
|
Loading…
Reference in New Issue