CVE-2016-1000109: Ignore Proxy HTTP header from fastcgi requests

The default PHP behavior is to transform a Proxy header from requests
into the HTTP_PROXY environment variable in the PHP environment running the
request. Some scripts may use this env var to decide which HTTP proxy to
connect to, and we don't want requests to have that kind of control over
scripts' behavior.

Author: Orvid

hphp/runtime/server/fastcgi/fastcgi-transport.cpp

@@ -212,6 +212,10 @@ void FastCGITransport::onHeader(std::unique_ptr<folly::IOBuf> key_chain,
   Cursor keyCur(key_chain.get());
   auto key = keyCur.readFixedString(key_chain->computeChainDataLength());
 
+  // Don't allow requests to inject an HTTP_PROXY environment variable by
+  // sending a Proxy header.
+  if (strcasecmp(key.c_str(), "HTTP_PROXY") == 0) return;
+
   Cursor valCur(value_chain.get());
   auto value = valCur.readFixedString(value_chain->computeChainDataLength());