we don't use the HTTP_PROXY environment variable in uppercase anymore, since

it might become a security problem (Bugs item #415391)
author: Daniel Stenberg <daniel@haxx.se> 2001-04-11 14:13:52 +0000
committer: Daniel Stenberg <daniel@haxx.se> 2001-04-11 14:13:52 +0000
commit: 18f044f19d26f2b6dcd41796966f488a62a1bdca (patch)
tree: 330c52fffa52e19d620d4df0df8d65b49cdcc86b /lib
parent: d7b54eb835d1b297dc7bb852d11353b2105d6043 (diff)
1 files changed, 13 insertions, 1 deletions
diff --git a/lib/url.c b/lib/url.c
index 0a01e54d2..8880c1eb2 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -1579,7 +1579,19 @@ static CURLcode Connect(struct UrlData *data,
 	/* read the protocol proxy: */
 	prox=curl_getenv(proxy_env);
 
-	if(!prox) {
+        /*
+         * We don't try the uppercase version of HTTP_PROXY because of
+         * security reasons:
+         *
+         * When curl is used in a webserver application
+         * environment (cgi or php), this environment variable can
+         * be controlled by the web server user by setting the
+         * http header 'Proxy:' to some value.
+         * 
+         * This can cause 'internal' http/ftp requests to be
+         * arbitrarily redirected by any external attacker.
+         */
+	if(!prox && !strequal("http_proxy", proxy_env)) {
           /* There was no lowercase variable, try the uppercase version: */
 	  for(envp = proxy_env; *envp; envp++)
 	    *envp = toupper(*envp);
author	Daniel Stenberg <daniel@haxx.se>	2001-04-11 14:13:52 +0000
committer	Daniel Stenberg <daniel@haxx.se>	2001-04-11 14:13:52 +0000
commit	18f044f19d26f2b6dcd41796966f488a62a1bdca (patch)
tree	330c52fffa52e19d620d4df0df8d65b49cdcc86b /lib
parent	d7b54eb835d1b297dc7bb852d11353b2105d6043 (diff)