github
/
flarum
mirror of https://github.com/flarum/flarum
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fix workaround for HTTPoxy vulnerability 

Three issues with the previous solution:
* `Header unset` instead of `RequestHeader unset`
* No check for mod_headers being installed
* No alternative for when mod_headers is not installed (this still
  requires the mod_security module, but that's the best I could do)
pull/39/head
Franz Liedke 2017-02-12 01:36:42 +01:00
parent 70a765a2c8
commit 569e3a3b5e
No known key found for this signature in database
GPG Key ID: 9A0231A879B055F4
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.htaccess
View File

@ -10,7 +10,13 @@
</IfModule> </IfModule>
# Fix for https://httpoxy.org vulnerability # Fix for https://httpoxy.org vulnerability
Header unset Proxy <IfModule mod_headers.c>
RequestHeader unset Proxy
</IfModule>
<IfModule mod_security.c>
SecRule &REQUEST_HEADERS:Proxy "@gt 0" "id:1000005,log,deny,msg:'httpoxy denied'"
</IfModule>
<IfModule mod_rewrite.c> <IfModule mod_rewrite.c>
RewriteEngine on RewriteEngine on