From 569e3a3b5ec862ecae93e0e438dd6a7a4c5012ed Mon Sep 17 00:00:00 2001
From: Franz Liedke <franz@develophp.org>
Date: Sun, 12 Feb 2017 01:36:42 +0100
Subject: [PATCH] Fix workaround for HTTPoxy vulnerability

Three issues with the previous solution:
* `Header unset` instead of `RequestHeader unset`
* No check for mod_headers being installed
* No alternative for when mod_headers is not installed (this still
  requires the mod_security module, but that's the best I could do)
---
 .htaccess | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.htaccess b/.htaccess
index 95b6f76..f35dd21 100644
--- a/.htaccess
+++ b/.htaccess
@@ -10,7 +10,13 @@
 </IfModule>
 
 # Fix for https://httpoxy.org vulnerability
-Header unset Proxy
+<IfModule mod_headers.c>
+  RequestHeader unset Proxy
+</IfModule>
+<IfModule mod_security.c>
+  SecRule &REQUEST_HEADERS:Proxy "@gt 0" "id:1000005,log,deny,msg:'httpoxy denied'"
+</IfModule>
+
 
 <IfModule mod_rewrite.c>
   RewriteEngine on