Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
We don't support any PHP version that is vulnerable to httpoxy anymore - the last version that was vulnerable was 7.0.8
Therefore we can remove the comments from web.config.
Proposed resolution
Remove comments.
Remaining tasks
None
User interface changes
None
API changes
None
Data model changes
None
Release notes snippet
The web.config file used by Microsoft's IIS server has been updated to remove unnecessary configuration. The commented out Erase HTTP_PROXY
rule has been removed. PHP 7.3 and up is not vulnerable and this rule can be removed if you have enabled it.
Comment | File | Size | Author |
---|---|---|---|
#16 | 3181084-followup.patch | 1.92 KB | longwave |
#10 | 3181084_10.patch | 2.36 KB | anushrikumari |
#2 | 3181084-2.patch | 2.36 KB | alexpott |
Comments
Comment #2
alexpottComment #3
alexpottActually not sure a change record is worth it here. The release note should suffice as all we are doing is removing a comment.
Comment #4
alexpottComment #5
alexpottComment #6
alexpottComment #7
sulfikar_s CreditAttribution: sulfikar_s at Zyxware Technologies commentedHello,
I've tested your patch. It applied cleanly without any hassle. The patch removes the comment from web.config file. And 'httpoxy' from the file /core/misc/cspell/dictionary.txt.
Changing the status to RTBC !
Comment #8
catchNeeds a re-roll.
Comment #9
anushrikumari CreditAttribution: anushrikumari at OpenSense Labs commentedComment #10
anushrikumari CreditAttribution: anushrikumari at OpenSense Labs commentedRerolled patch #2 for 9.2.x
Comment #11
longwaveComment #13
catchCommitted/pushed to 9.2.x, thanks!
Comment #14
junglehttpoxy can not be removed simply
Needs followup?
Comment #15
longwaveHmm, those system.install lines should be removed too, I think? As they refer to the lines in web.config that we have now removed?
Comment #16
longwaveThis code only runs on PHP 7.0.8 and earlier, which can't happen in Drupal 9, so we can just remove it.
Comment #17
jungleYeah, opened #3185545: Remove requirement check on httpoxy from system_requirements() as followup.
Comment #18
jungleRTBC if CI agrees, or continue with #3185545: Remove requirement check on httpoxy from system_requirements()
Comment #19
jungleComment #20
alexpottLet's fix the spelling stuff in #3180998: Remove dead code due to minimum PHP version