41a6c3
41a6c3
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5387
41a6c3
41a6c3
--- httpd-2.4.6/server/util_script.c.cve5387
41a6c3
+++ httpd-2.4.6/server/util_script.c
41a6c3
@@ -190,6 +190,10 @@
41a6c3
             continue;
41a6c3
         }
41a6c3
 #endif
41a6c3
+        else if (!strcasecmp(hdrs[i].key, "Proxy")) {
41a6c3
+            /* Don't pass through HTTP_PROXY */
41a6c3
+            continue;
41a6c3
+        }
41a6c3
         else
41a6c3
             add_unless_null(e, http2env(r, hdrs[i].key), hdrs[i].val);
41a6c3
     }