https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5387
--- httpd-2.4.6/server/util_script.c.cve5387
+++ httpd-2.4.6/server/util_script.c
@@ -190,6 +190,10 @@
continue;
}
#endif
+ else if (!strcasecmp(hdrs[i].key, "Proxy")) {
+ /* Don't pass through HTTP_PROXY */
+ continue;
+ }
else
add_unless_null(e, http2env(r, hdrs[i].key), hdrs[i].val);