search

jFastCGI / jfastcgi

jFastCGI
Other
38 stars 11 forks source link

httpoxy is fixed by PHP 7.0.9, but why not 'belt and braces' #21

Closed jm009 closed 6 years ago

jm009 commented 6 years ago

Dear all,

to protect against the httpoxy attac [1], the Tomcat CGI servlet introduced a filter (by regular expression) about which http headers sent by the browser are forwarded to the CGI script as HTTP_... environment variable [2]. jfastcgi is prepared for a similar mechanism with [3] HeaderFilter, but does not use this mechanism by default. I suggest to implement a default filter similar to the one in the Tomcat CGI servlet, or at least mention the potential threat in the documentation. I just learned, that PHP versions newer than 7.0.9 have an "Upgly hack to fix HTTP_PROXY issue" [4] [5] [6]. But why not filter anyway, just to keep under control what is forwarded from the request data (= can be manipulated by potential attackers) to the scripts?

Best regards

Jan Michael Greiner

[1] https://httpoxy.org/ [2] See parameter envHttpHeaders http://tomcat.apache.org/tomcat-9.0-doc/cgi-howto.html [3[ https://github.com/jFastCGI/jfastcgi/blob/master/client/core/src/main/java/org/jfastcgi/client/FastCGIHandler.java [4] http://php.net/ChangeLog-7.php#7.0.9 [5] https://bugs.php.net/bug.php?id=72573 [6] https://gist.github.com/smalyshev/ba40554d812723e0397dd0cfef57932d

jrialland commented 6 years ago

Thank you very much for your precise description of the issue !

jm009 commented 6 years ago

If I got it right, the idea for the CGIServlet is, not to make a blacklist of headers, but to make a whitelist. Who knows, if not another problem with another environment variable may come up some day... But hey, that fix was fast :-) If everything would get fixed as fast as that, it would be a better world :-)

jm009 commented 6 years ago

I think, no client, except a malicious hacker will ever send a web client request header named "proxy". I think the four code lines in org.jfastcgi.client.FastCGIHandler are not needed:

            else if(key.equalsIgnoreCase("PROXY")) {
                //Avoid to pass HTTP_PROXY to the script (https://github.com/jFastCGI/jfastcgi/issues/21)
                addHeader(ws, "CGI_HTTP_PROXY", value);
            }