Hi, there are several programs that honor the HTTP_PROXY environment variable in upper case. This is of course problematic if such programs are called inside CGIs because the variable can be set by an attacker via the Proxy: header.
It goes without question that all these programs need to be fixed. But I think it would still be a good idea if httpd would not export the HTTP_PROXY variable to CGIs and other subprocesses (mod_include, etc.) by default. The easiest way to achieve this would be to modify the ap_add_common_vars() function. Probably there should be a config knob to revert to the old behavior. For now, a flag would beenough, but this could later be extended to allow to specify a list of variables. Another place where HTTP_PROXY should be blacklisted is probably the suexec helper. This would of course not be configurable. What do you think? If you agree, how should the config directive be called? BlacklistEnv (on/off for now but maybe a list of vars in the future)? Cheers, Stefan
