1. 18
  1.  

  2. 4

    As the site mentions, the PHP vulnerabilities are with specific libraries (Guzzle 4+ and Artax are mentioned), not the curl library that comes with PHP that most sites are probably using. PHP’s curl library requires explicit setup to use a proxy by setting CURLOPT_PROXY.

    1. 1

      An updated Guzzle release is available, 5.3.1 and 6.2.1. Not yet available as RPM package in EPEL though.

    2. 2

      Perl (well, LWP) fixed this back in March 2001:

      http://www.nntp.perl.org/group/perl.libwww/2001/03/msg2249.html

      Way to go!

      1. 1

        On Windows, environment variables are case insensitive, so you shouldn’t use GetEnvironmentVariable but instead use the standard C environ global or GetEnvironmentStrings and parse the result manually. Cygwin is not affected by this problem.

        I believe the biggest problem is thinking that configuration and interprocess communication were somehow related since they both are a “bag of properties”. I mitigate this in my own designs by using lower-case environment variables for my own configuration – it “looks weird” to people, and occasionally I see other programmers send me patches that “fix” the case of my variables, but then I point out that my implementation of http_proxy was always immune to this attack, back in the 1990s.