Background information about this change
This is a backport of the D8 security fix. Although Drupal 7 core is not vulnerable porting the fix in .htaccess/web.config files would mitigate the issue when using vulnerable libraries or vulnerable code.
Installation and setup instructions
This change modifies the .htaccess and web.config files.
The changes will not affect sites with PHP >= 7.0.9, 5.6.24, and 5.5.38 where the issue was fixed or does not exist. Other affected sites will notice on the Status Report that they may need to change some deployment setting if they are not using an updated version of php that includes HTTP proxy fixes.
Sites running on Microsoft-IIS should not encounter any difficulties and will see warnings on the Status Report of any changes required to their configuration.
The change in .htaccess is the addition of a header fix:
-# Add headers to all responses.
+# Various header fixes.
<IfModule mod_headers.c>
# Disable content sniffing, since it's an attack vector.
Header always set X-Content-Type-Options nosniff
+ # Disable Proxy header, since it's an attack vector.
+ RequestHeader unset Proxy
The change in web.config is a commented rule that can be uncommented as needed:
<!-- If running on a PHP version affected by httpoxy vulnerability
uncomment the following rule to mitigate it's impact. To make this
rule work, you will also need to add HTTP_PROXY to the allowed server
variables manually in IIS. See https://www.drupal.org/node/2783079.
<rule name="Erase HTTP_PROXY" patternSyntax="Wildcard">
<match url="*.*" />
<serverVariables>
<set name="HTTP_PROXY" value="" />
</serverVariables>
<action type="None" />
</rule>
-->