From 90daf4b0713cc2f683c59901f2512f95e9117015 Mon Sep 17 00:00:00 2001
From: Eric Wong <e@80x24.org>
Date: Fri, 5 Aug 2016 06:57:37 +0000
Subject: extras/exec_cgi: fix for HTTPoxy vulnerability

Bad clients may set the Proxy: header in the response and
cause any CGI programs we execute to use the value of that
header as the HTTP proxy.  This affects folks calling code
which respects the HTTP_PROXY environment variable in CGI
programs.

ref: https://httpoxy.org/
---
 extras/exec_cgi.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/extras/exec_cgi.rb b/extras/exec_cgi.rb
index 6bb40c1..b546e1f 100644
--- a/extras/exec_cgi.rb
+++ b/extras/exec_cgi.rb
@@ -86,6 +86,7 @@ class ExecCgi
 
   # Calls the app
   def call(env)
+    env.delete('HTTP_PROXY') # ref: https://httpoxy.org/
     cgi_env = { "GATEWAY_INTERFACE" => "CGI/1.1" }
     PASS_VARS.each { |key| val = env[key] and cgi_env[key] = val }
     env.each { |key,val| cgi_env[key] = val if key =~ /\AHTTP_/ }
-- 
cgit v1.2.3-24-ge0c7