Problem/Motivation

We don't support any PHP version that is vulnerable to httpoxy anymore - the last version that was vulnerable was 7.0.8

Therefore we can remove the comments from web.config.

Proposed resolution

Remove comments.

Remaining tasks

None

User interface changes

None

API changes

None

Data model changes

None

Release notes snippet

The web.config file used by Microsoft's IIS server has been updated to remove unnecessary configuration. The commented out Erase HTTP_PROXY rule has been removed. PHP 7.3 and up is not vulnerable and this rule can be removed if you have enabled it.

CommentFileSizeAuthor
#16 3181084-followup.patch1.92 KBlongwave
#10 3181084_10.patch2.36 KBanushrikumari
#2 3181084-2.patch2.36 KBalexpott
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

alexpott created an issue. See original summary.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott as a volunteer and at Acro Commerce, Thunder commented
Issue summary: View changes
Status: Active » Needs review
Issue tags: +Needs release note, +9.2.0 release notes
FileSize
3181084-2.patch2.36 KB
alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott as a volunteer and at Acro Commerce, Thunder commented
Issue summary: View changes
Issue tags: -Needs change record, -Needs release note

Actually not sure a change record is worth it here. The release note should suffice as all we are doing is removing a comment.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott as a volunteer and at Acro Commerce, Thunder commented
Issue summary: View changes
alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott as a volunteer and at Acro Commerce, Thunder commented
Issue summary: View changes
alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott as a volunteer and at Acro Commerce, Thunder commented
Title: Remove httpoxy stuff from web.config » Remove commented out httpoxy rule from web.config
sulfikar_s’s picture

sulfikar_s CreditAttribution: sulfikar_s at Zyxware Technologies commented
Status: Needs review » Reviewed & tested by the community

Hello,

I've tested your patch. It applied cleanly without any hassle. The patch removes the comment from web.config file. And 'httpoxy' from the file /core/misc/cspell/dictionary.txt.

Changing the status to RTBC !

catch’s picture

catch
he/him
Primary language English
CreditAttribution: catch at Third and Grove commented
Status: Reviewed & tested by the community » Needs work
Issue tags: +Needs reroll

Needs a re-roll.

anushrikumari’s picture

anushrikumari CreditAttribution: anushrikumari at OpenSense Labs commented
Assigned: Unassigned » anushrikumari
anushrikumari’s picture

anushrikumari CreditAttribution: anushrikumari at OpenSense Labs commented
Assigned: anushrikumari » Unassigned
Status: Needs work » Needs review
FileSize
3181084_10.patch2.36 KB

Rerolled patch #2 for 9.2.x

longwave’s picture

longwave
he/him
Primary language English
Location UK
CreditAttribution: longwave at Full Fat Things commented
Status: Needs review » Reviewed & tested by the community
Issue tags: -Needs reroll

  • catch committed 0a27cd4 on 9.2.x 
    Issue #3181084 by alexpott, anushrikumari: Remove commented out httpoxy...
catch’s picture

catch
he/him
Primary language English
CreditAttribution: catch at Third and Grove commented
Status: Reviewed & tested by the community » Fixed

Committed/pushed to 9.2.x, thanks!

jungle’s picture

jungle
He/Him
Location Chongqing, China
CreditAttribution: jungle as a volunteer commented
Issue tags: +Needs followup 
+++ b/core/misc/cspell/dictionary.txt
@@ -731,7 +731,6 @@ httpd
-httpoxy

httpoxy can not be removed simply

$ yarn spellcheck:core
yarn run v1.22.4
$ cspell "**/*" ".*" "../composer/**/*" "../composer.json"
/core/modules/system/system.install:1147:18 - Unknown word (httpoxy)
/core/modules/system/system.install:1156:6 - Unknown word (httpoxy)
/core/modules/system/system.install:1160:12 - Unknown word (httpoxy)
/core/modules/system/system.install:1165:11 - Unknown word (httpoxy)
CSpell: Files checked: 15164, Issues found: 4 in 1 files
error Command failed with exit code 1.
info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.

Needs followup?

longwave’s picture

longwave
he/him
Primary language English
Location UK
CreditAttribution: longwave at Full Fat Things commented

Hmm, those system.install lines should be removed too, I think? As they refer to the lines in web.config that we have now removed?

longwave’s picture

longwave
he/him
Primary language English
Location UK
CreditAttribution: longwave at Full Fat Things commented
Status: Fixed » Needs review
FileSize
3181084-followup.patch1.92 KB

This code only runs on PHP 7.0.8 and earlier, which can't happen in Drupal 9, so we can just remove it.

jungle’s picture

jungle
He/Him
Location Chongqing, China
CreditAttribution: jungle as a volunteer commented

Yeah, opened #3185545: Remove requirement check on httpoxy from system_requirements() as followup.

jungle’s picture

jungle
He/Him
Location Chongqing, China
CreditAttribution: jungle as a volunteer commented
Status: Needs review » Reviewed & tested by the community

RTBC if CI agrees, or continue with #3185545: Remove requirement check on httpoxy from system_requirements()

jungle’s picture

jungle
He/Him
Location Chongqing, China
CreditAttribution: jungle as a volunteer commented
Issue tags: -Needs followup
alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott as a volunteer and at Acro Commerce, Thunder commented
Status: Reviewed & tested by the community » Fixed

Let's fix the spelling stuff in #3180998: Remove dead code due to minimum PHP version

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.