commit: c4b897dc39a939d0f409e1bcd9f6bd9c75679cf9
Author: Thomas Deutschmann <whissi <AT> whissi <DOT> de>
AuthorDate: Tue Jul 19 23:16:33 2016 +0000
Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Tue Jul 26 09:51:22 2016 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c4b897dc
www-servers/nginx: HTTPoxy mitigation added
Package-Manager: portage-2.3.0
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>
.../nginx/files/nginx-httpoxy-mitigation.patch | 33 ++++++++++++++++++++++
...{nginx-1.11.2.ebuild => nginx-1.10.1-r1.ebuild} | 23 +++++++++------
www-servers/nginx/nginx-1.11.2.ebuild | 13 +++++++++
3 files changed, 61 insertions(+), 8 deletions(-)
diff --git a/www-servers/nginx/files/nginx-httpoxy-mitigation.patch
b/www-servers/nginx/files/nginx-httpoxy-mitigation.patch
new file mode 100644
index 0000000..7e9618b
--- /dev/null
+++ b/www-servers/nginx/files/nginx-httpoxy-mitigation.patch
@@ -0,0 +1,33 @@
+httpoxy mitigation
+
+See https://httpoxy.org/ and https://www.nginx.com/blog/?p=41962 for details.
+---
+ conf/fastcgi.conf | 3 +++
+ conf/fastcgi_params | 3 +++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/conf/fastcgi.conf b/conf/fastcgi.conf
+index 091738c..9f7e192 100644
+--- a/conf/fastcgi.conf
++++ b/conf/fastcgi.conf
+@@ -24,3 +24,6 @@ fastcgi_param SERVER_NAME $server_name;
+
+ # PHP only, required if PHP was built with --enable-force-cgi-redirect
+ fastcgi_param REDIRECT_STATUS 200;
++
++# httpoxy mitigation (https://httpoxy.org/
https://www.nginx.com/blog/?p=41962)
++fastcgi_param HTTP_PROXY "";
+diff --git a/conf/fastcgi_params b/conf/fastcgi_params
+index 28decb9..3be3a95 100644
+--- a/conf/fastcgi_params
++++ b/conf/fastcgi_params
+@@ -23,3 +23,6 @@ fastcgi_param SERVER_NAME $server_name;
+
+ # PHP only, required if PHP was built with --enable-force-cgi-redirect
+ fastcgi_param REDIRECT_STATUS 200;
++
++# httpoxy mitigation (https://httpoxy.org/
https://www.nginx.com/blog/?p=41962)
++fastcgi_param HTTP_PROXY "";
+--
+2.9.2
+
diff --git a/www-servers/nginx/nginx-1.11.2.ebuild
b/www-servers/nginx/nginx-1.10.1-r1.ebuild
similarity index 97%
copy from www-servers/nginx/nginx-1.11.2.ebuild
copy to www-servers/nginx/nginx-1.10.1-r1.ebuild
index 9bfdddd..5912230 100644
--- a/www-servers/nginx/nginx-1.11.2.ebuild
+++ b/www-servers/nginx/nginx-1.10.1-r1.ebuild
@@ -171,7 +171,7 @@ LICENSE="BSD-2 BSD SSLeay MIT GPL-2 GPL-2+
nginx_modules_http_security? ( Apache-2.0 )
nginx_modules_http_push_stream? ( GPL-3 )"
-SLOT="mainline"
+SLOT="0"
KEYWORDS="~amd64 ~arm ~arm64 ~ppc ~x86 ~x86-fbsd ~amd64-linux ~x86-linux"
NGINX_MODULES_STD="access auth_basic autoindex browser charset empty_gif
@@ -269,7 +269,7 @@ CDEPEND="
nginx_modules_http_auth_ldap? ( net-nds/openldap[ssl?] )"
RDEPEND="${CDEPEND}
selinux? ( sec-policy/selinux-nginx )
- !www-servers/nginx:0"
+ !www-servers/nginx:mainline"
DEPEND="${CDEPEND}
arm? ( dev-libs/libatomic_ops )
libatomic? ( dev-libs/libatomic_ops )"
@@ -319,12 +319,7 @@ pkg_setup() {
src_prepare() {
eapply "${FILESDIR}/${PN}-1.4.1-fix-perl-install-path.patch"
-
- if use nginx_modules_http_sticky; then
- cd "${HTTP_STICKY_MODULE_WD}" || die
- eapply "${FILESDIR}"/http-sticky-nginx-1.11.2.patch
- cd "${S}" || die
- fi
+ eapply "${FILESDIR}/${PN}-httpoxy-mitigation.patch"
if use nginx_modules_http_upstream_check; then
eapply -p0 "${HTTP_UPSTREAM_CHECK_MODULE_WD}/check_1.9.2+".patch
@@ -758,4 +753,16 @@ pkg_postinst() {
ewarn "'rx' permissions on /var/log/nginx (default on a fresh
install)"
ewarn "Otherwise you end up with empty log files after a
logrotate."
fi
+
+ # HTTPoxy mitigation
+ ewarn ""
+ ewarn "This nginx installation comes with a mitigation for the HTTPoxy"
+ ewarn "vulnerability for FastCGI applications by setting the HTTP_PROXY
FastCGI"
+ ewarn "parameter to an empty string per default when you are sourcing
the default"
+ ewarn "'fastcgi_params' or 'fastcgi.conf' in your server block(s)."
+ ewarn ""
+ ewarn "If this is causing any problems for you make sure that you are
sourcing the"
+ ewarn "default parameters _before_ you set your own values."
+ ewarn "If you are relying on user-supplied proxy values you have to
remove the"
+ ewarn "correlating lines from 'fastcgi_params' and or 'fastcgi.conf'."
}
diff --git a/www-servers/nginx/nginx-1.11.2.ebuild
b/www-servers/nginx/nginx-1.11.2.ebuild
index 9bfdddd..0a7e068 100644
--- a/www-servers/nginx/nginx-1.11.2.ebuild
+++ b/www-servers/nginx/nginx-1.11.2.ebuild
@@ -319,6 +319,7 @@ pkg_setup() {
src_prepare() {
eapply "${FILESDIR}/${PN}-1.4.1-fix-perl-install-path.patch"
+ eapply "${FILESDIR}/${PN}-httpoxy-mitigation.patch"
if use nginx_modules_http_sticky; then
cd "${HTTP_STICKY_MODULE_WD}" || die
@@ -758,4 +759,16 @@ pkg_postinst() {
ewarn "'rx' permissions on /var/log/nginx (default on a fresh
install)"
ewarn "Otherwise you end up with empty log files after a
logrotate."
fi
+
+ # HTTPoxy mitigation
+ ewarn ""
+ ewarn "This nginx installation comes with a mitigation for the HTTPoxy"
+ ewarn "vulnerability for FastCGI applications by setting the HTTP_PROXY
FastCGI"
+ ewarn "parameter to an empty string per default when you are sourcing
the default"
+ ewarn "'fastcgi_params' or 'fastcgi.conf' in your server block(s)."
+ ewarn ""
+ ewarn "If this is causing any problems for you make sure that you are
sourcing the"
+ ewarn "default parameters _before_ you set your own values."
+ ewarn "If you are relying on user-supplied proxy values you have to
remove the"
+ ewarn "correlating lines from 'fastcgi_params' and or 'fastcgi.conf'."
}
