[inets/3392] Fix for CVE-2016-1000107.

marcellanz · Whaileee · commit bbad31719fbe · 2025-08-25T18:58:53.000+02:00
diff --git a/lib/inets/src/http_server/httpd_script_env.erl b/lib/inets/src/http_server/httpd_script_env.erl
@@ -131,6 +131,8 @@ create_http_header_elements(ScriptType, [{Name, [Value | _] = Values } |
 create_http_header_elements(ScriptType, [{Name, Value} | Headers], Acc, OtherAcc) 
   when is_list(Value) ->
     try http_env_element(ScriptType, Name, Value) of
+        skipped ->
+            create_http_header_elements(ScriptType, Headers, Acc, [OtherAcc]);
         Element ->
             create_http_header_elements(ScriptType, Headers, [Element | Acc],
                                        OtherAcc)
@@ -140,6 +142,11 @@ create_http_header_elements(ScriptType, [{Name, Value} | Headers], Acc, OtherAcc
                                        [{Name, Value} | OtherAcc])
     end.
 
+http_env_element(cgi, "proxy", _Value)  ->
+  %% CVE-2016-1000107 – https://github.com/erlang/otp/issues/3392
+  skipped;
+http_env_element(cgi, "PROXY", _Value)  ->
+  skipped;
 http_env_element(cgi, VarName0, Value)  ->
     VarName = re:replace(VarName0,"-","_", [{return,list}, global]),
     {"HTTP_"++ http_util:to_upper(VarName), Value};
