#66 Security issue with HTTP_PROXY

libcurl (356)

Curl/libcurl apparently checks HTTP_PROXY for proxy
information for requests.

When curl is used in a webserver application
environment (cgi or php), this environment variable can
be controlled by the web server user by setting the
http header 'Proxy:' to some value.

This can cause 'internal' http/ftp requests to be
arbitrarily redirected by any external attacker.

This issue was recently uncovered in LWP, the perl
library for http, which checks http_proxy in a
case-insensitive manner.

Curl should only check the lower case version of this
variable. This might not be enough on NT.


  • Daniel Stenberg

    Daniel Stenberg - 2001-04-11
    • priority: 5 --> 7
    • status: open --> closed-fixed
  • Daniel Stenberg

    Daniel Stenberg - 2001-04-11

    Logged In: YES

    I understand perfectly.

    I just committed a fix that prevents libcurl from trying to
    use HTTP_PROXY in the uppercase version.

    Thanks for reporting!


Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks