From dcb086060c9dd6b2f51d8f7a895500307110b7a7 Mon Sep 17 00:00:00 2001 From: Niklas Keller Date: Mon, 12 Feb 2018 19:47:17 +0100 Subject: [PATCH] Security: Mitigate HTTPoxy vulnerability (#23) This mitigates the HTTPoxy vulnerability, see https://httpoxy.org/. Related CVE: CVE-2016-5385. --- src/FileGetContents.php | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/src/FileGetContents.php b/src/FileGetContents.php index 1c4230e..3cbc681 100644 --- a/src/FileGetContents.php +++ b/src/FileGetContents.php @@ -273,10 +273,15 @@ protected function getMergedStreamContext($url) { $options = $this->options; - // Handle system proxy - if (!empty($_SERVER['HTTP_PROXY']) || !empty($_SERVER['http_proxy'])) { - // Some systems seem to rely on a lowercased version instead... - $proxy = parse_url(!empty($_SERVER['http_proxy']) ? $_SERVER['http_proxy'] : $_SERVER['HTTP_PROXY']); + // See CVE-2016-5385, due to (emulation of) header copying with PHP web SAPIs into HTTP_* variables, + // HTTP_PROXY can be set by an user to any value he wants by setting the Proxy header. + // Mitigate the vulnerability by only allowing CLI SAPIs to use HTTP(S)_PROXY environment variables. + if (PHP_SAPI === 'cli' || PHP_SAPI === 'phpdbg') { + // Handle system proxy + if (!empty($_SERVER['HTTP_PROXY']) || !empty($_SERVER['http_proxy'])) { + // Some systems seem to rely on a lowercased version instead... + $proxy = parse_url(!empty($_SERVER['http_proxy']) ? $_SERVER['http_proxy'] : $_SERVER['HTTP_PROXY']); + } } if (!empty($proxy)) {