mirror of
https://github.com/moparisthebest/curl
synced 2024-12-22 08:08:50 -05:00
we don't use the HTTP_PROXY environment variable in uppercase anymore, since
it might become a security problem (Bugs item #415391)
This commit is contained in:
parent
d7b54eb835
commit
18f044f19d
14
lib/url.c
14
lib/url.c
@ -1579,7 +1579,19 @@ static CURLcode Connect(struct UrlData *data,
|
||||
/* read the protocol proxy: */
|
||||
prox=curl_getenv(proxy_env);
|
||||
|
||||
if(!prox) {
|
||||
/*
|
||||
* We don't try the uppercase version of HTTP_PROXY because of
|
||||
* security reasons:
|
||||
*
|
||||
* When curl is used in a webserver application
|
||||
* environment (cgi or php), this environment variable can
|
||||
* be controlled by the web server user by setting the
|
||||
* http header 'Proxy:' to some value.
|
||||
*
|
||||
* This can cause 'internal' http/ftp requests to be
|
||||
* arbitrarily redirected by any external attacker.
|
||||
*/
|
||||
if(!prox && !strequal("http_proxy", proxy_env)) {
|
||||
/* There was no lowercase variable, try the uppercase version: */
|
||||
for(envp = proxy_env; *envp; envp++)
|
||||
*envp = toupper(*envp);
|
||||
|
Loading…
Reference in New Issue
Block a user