diff options
Diffstat (limited to 'meta-webserver/recipes-httpd/apache2/apache2/cve-2016-5387.patch')
| -rw-r--r-- | meta-webserver/recipes-httpd/apache2/apache2/cve-2016-5387.patch | 25 |
1 files changed, 0 insertions, 25 deletions
diff --git a/meta-webserver/recipes-httpd/apache2/apache2/cve-2016-5387.patch b/meta-webserver/recipes-httpd/apache2/apache2/cve-2016-5387.patch deleted file mode 100644 index dbcdfc6df..000000000 --- a/meta-webserver/recipes-httpd/apache2/apache2/cve-2016-5387.patch +++ /dev/null | |||
| @@ -1,25 +0,0 @@ | |||
| 1 | This patch has been copied from https://www.apache.org/security/asf-httpoxy-response.txt | ||
| 2 | as a mitigation of CVE-2016-5387. | ||
| 3 | |||
| 4 | Upstream-Status: Backport - fixed in 2.4.24 | ||
| 5 | |||
| 6 | Signed-off-by: Joe Slater<jslater@windriver.com> | ||
| 7 | |||
| 8 | |||
| 9 | --- a/server/util_script.c (revision 1752426) | ||
| 10 | +++ b/server/util_script.c (working copy) | ||
| 11 | @@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r | ||
| 12 | else if (!strcasecmp(hdrs[i].key, "Content-length")) { | ||
| 13 | apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val); | ||
| 14 | } | ||
| 15 | + /* HTTP_PROXY collides with a popular envvar used to configure | ||
| 16 | + * proxies, don't let clients set/override it. But, if you must... | ||
| 17 | + */ | ||
| 18 | +#ifndef SECURITY_HOLE_PASS_PROXY | ||
| 19 | + else if (!strcasecmp(hdrs[i].key, "Proxy")) { | ||
| 20 | + ; | ||
| 21 | + } | ||
| 22 | +#endif | ||
| 23 | /* | ||
| 24 | * You really don't want to disable this check, since it leaves you | ||
| 25 | * wide open to CGIs stealing passwords and people viewing them | ||