1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-22 08:08:50 -05:00

we don't use the HTTP_PROXY environment variable in uppercase anymore, since

it might become a security problem (Bugs item #415391)
This commit is contained in:
Daniel Stenberg 2001-04-11 14:13:52 +00:00
parent d7b54eb835
commit 18f044f19d

View File

@ -1579,7 +1579,19 @@ static CURLcode Connect(struct UrlData *data,
/* read the protocol proxy: */
prox=curl_getenv(proxy_env);
if(!prox) {
/*
* We don't try the uppercase version of HTTP_PROXY because of
* security reasons:
*
* When curl is used in a webserver application
* environment (cgi or php), this environment variable can
* be controlled by the web server user by setting the
* http header 'Proxy:' to some value.
*
* This can cause 'internal' http/ftp requests to be
* arbitrarily redirected by any external attacker.
*/
if(!prox && !strequal("http_proxy", proxy_env)) {
/* There was no lowercase variable, try the uppercase version: */
for(envp = proxy_env; *envp; envp++)
*envp = toupper(*envp);