Hello! On Tue, Jul 19, 2016 at 03:48:16PM +0200, Thomas Deutschmann wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hi, > > I am proxy maintaining the nginx package on Gentoo. > > Regarding the recent "httpoxy" problem (you already published a blog > posting [1] with instructions how to mitigate the problem) we are > unsure if we should update our package to ship your mitigation per > default, i.e. altering your "fastcgi_param" file and add > > > fastcgi_param HTTP_PROXY ""; > > This would protect default configurations. However some setups might > require a proxy which could break when fastcgi_param file will be > sourced after user's configuration. > > > - From my point of view this is a user education problem: If they know > what they are doing they won't have to do anything: They should be > fine already or at least will set their required values *after* > sourcing the default fastcgi_param file. > > For Gentoo we would use our elog and/or news system to tell the user > about the changes. > > > However we want to know if you, upstream, are going to change the > default shipped fastcgi_param file (don't forget the .conf file) with > the next upcoming release to include a "safer" default configuration > as well or if there are reasons not to ship such a default and maybe > you recommend us also to do nothing. I don't think that the default should be changed. The problem is about improperly using the HTTP_PROXY environment variable in CGI[-like] contexts. And this is what should be fixed. Much like any other uses of HTTP_* environment variables. While filtering particular headers can be effectively used as a mitigation before all the affected uses are fixed, it doesn't looks like a good long-term solution. -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx-devel mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx-devel
