From dcb086060c9dd6b2f51d8f7a895500307110b7a7 Mon Sep 17 00:00:00 2001
From: Niklas Keller <me@kelunik.com>
Date: Mon, 12 Feb 2018 19:47:17 +0100
Subject: [PATCH] Security: Mitigate HTTPoxy vulnerability (#23)

This mitigates the HTTPoxy vulnerability, see https://httpoxy.org/.

Related CVE: CVE-2016-5385.
---
 src/FileGetContents.php | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/src/FileGetContents.php b/src/FileGetContents.php
index 1c4230e..3cbc681 100644
--- a/src/FileGetContents.php
+++ b/src/FileGetContents.php
@@ -273,10 +273,15 @@ protected function getMergedStreamContext($url)
     {
         $options = $this->options;
 
-        // Handle system proxy
-        if (!empty($_SERVER['HTTP_PROXY']) || !empty($_SERVER['http_proxy'])) {
-            // Some systems seem to rely on a lowercased version instead...
-            $proxy = parse_url(!empty($_SERVER['http_proxy']) ? $_SERVER['http_proxy'] : $_SERVER['HTTP_PROXY']);
+        // See CVE-2016-5385, due to (emulation of) header copying with PHP web SAPIs into HTTP_* variables,
+        // HTTP_PROXY can be set by an user to any value he wants by setting the Proxy header.
+        // Mitigate the vulnerability by only allowing CLI SAPIs to use HTTP(S)_PROXY environment variables.
+        if (PHP_SAPI === 'cli' || PHP_SAPI === 'phpdbg') {
+            // Handle system proxy
+            if (!empty($_SERVER['HTTP_PROXY']) || !empty($_SERVER['http_proxy'])) {
+                // Some systems seem to rely on a lowercased version instead...
+                $proxy = parse_url(!empty($_SERVER['http_proxy']) ? $_SERVER['http_proxy'] : $_SERVER['HTTP_PROXY']);
+            }
         }
 
         if (!empty($proxy)) {