diff --git a/.htaccess b/.htaccess
index 4185442..f51ccb1 100644
--- a/.htaccess
+++ b/.htaccess
@@ -147,8 +147,10 @@ DirectoryIndex index.php index.html index.htm
-# Add headers to all responses.
+# Various header fixes.
# Disable content sniffing, since it's an attack vector.
Header always set X-Content-Type-Options nosniff
+ # Disable Proxy header, since it's an attack vector.
+ RequestHeader unset Proxy
diff --git a/modules/system/system.install b/modules/system/system.install
index d6707be..513c358 100644
--- a/modules/system/system.install
+++ b/modules/system/system.install
@@ -520,6 +520,39 @@ function system_requirements($phase) {
}
}
+ // Warning for httpoxy on IIS with affected PHP versions
+ // @see https://www.drupal.org/node/2783079
+ if (strpos($software, 'Microsoft-IIS') !== FALSE
+ && (
+ version_compare(PHP_VERSION, '5.5.38', '<')
+ || (version_compare(PHP_VERSION, '5.6.0', '>=') && version_compare(PHP_VERSION, '5.6.24', '<'))
+ || (version_compare(PHP_VERSION, '7.0.0', '>=') && version_compare(PHP_VERSION, '7.0.9', '<'))
+ )) {
+ $dom = new \DOMDocument('1.0', 'UTF-8');
+ $webconfig = file_get_contents('web.config');
+ // If you are here the web.config file must - of course - be well formed.
+ // But the PHP DOM component will throw warnings on some XML compliant
+ // stuff, so silently parse the configuration file.
+ @$dom->loadHTML($webconfig);
+ $httpoxy_rewrite = FALSE;
+ foreach ($dom->getElementsByTagName('rule') as $rule) {
+ foreach ($rule->attributes as $attr) {
+ if (@$attr->name == 'name' && @$attr->nodeValue == 'Erase HTTP_PROXY') {
+ $httpoxy_rewrite = TRUE;
+ break 2;
+ }
+ }
+ }
+ if (!$httpoxy_rewrite) {
+ $requirements['iis_httpoxy_protection'] = [
+ 'title' => t('IIS httpoxy protection'),
+ 'value' => t('Your PHP runtime version is affected by the httpoxy vulnerability.'),
+ 'description' => t('Either update your PHP runtime version or uncomment the "Erase HTTP_PROXY" rule in your web.config file and add HTTP_PROXY to the allowed headers list. See more details in the security advisory.', [':link' => 'https://www.drupal.org/SA-CORE-2016-003']),
+ 'severity' => REQUIREMENT_ERROR,
+ ];
+ }
+ }
+
return $requirements;
}
diff --git a/web.config b/web.config
index 1d82aab..dcf948d 100644
--- a/web.config
+++ b/web.config
@@ -26,6 +26,18 @@
+