On 7/18/16, Martin S. Weber <ephae...@gmx.net> wrote: > More info e.g. at https://httpoxy.org/ > > suggested fix: "If you’re running PHP or CGI, you should block the Proxy > header now." > > Fossil's suggesting deployment as a CGI > Fossil's using http_proxy itself (as client) > > wondering whether: > - fossil can be convinced to be exploitable by a well crafted proxy header > - std CGI setup instructions should include deleting the Proxy header
The CGI logic in Fossil already ignores the "Proxy:" header. So I don't see how this can be exploited. -- D. Richard Hipp d...@sqlite.org _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users