Skip to content

Don't allow insecure proxy setting#143

Merged
kattrali merged 3 commits into
masterfrom
security
Jul 18, 2016
Merged

Don't allow insecure proxy setting#143
kattrali merged 3 commits into
masterfrom
security

Conversation

@GrahamCampbell

Copy link
Copy Markdown
Contributor

Patches CVE-2016-5385.

Comment thread config/bugsnag.php
*/

'proxy' => array_filter([
'http' => env('HTTP_PROXY'),

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove the option from the default config file.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Restored in #145 since it's still safe for cli, so no real reason to remove it.

$options = ['base_uri' => isset($config['endpoint']) ? $config['endpoint'] : Client::ENDPOINT];

if (isset($config['proxy']) && $config['proxy']) {
if (isset($config['proxy']['http']) && php_sapi_name() != 'cli') {

@GrahamCampbell GrahamCampbell Jul 18, 2016

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't allow the option through if we're on a vulnerable system because it's likely it was set by an env variable, particularly if from an old config file.

@kattrali
kattrali merged commit 59cf2da into master Jul 18, 2016
@kattrali
kattrali deleted the security branch July 18, 2016 18:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants