As the site mentions, the PHP vulnerabilities are with specific libraries (Guzzle 4+ and Artax are mentioned), not the curl library that comes with PHP that most sites are probably using. PHP’s curl library requires explicit setup to use a proxy by setting CURLOPT_PROXY.
An updated Guzzle release is available, 5.3.1 and 6.2.1. Not yet available as RPM package in EPEL though.
Perl (well, LWP) fixed this back in March 2001:
Way to go!
On Windows, environment variables are case insensitive, so you shouldn’t use GetEnvironmentVariable but instead use the standard C environ global or GetEnvironmentStrings and parse the result manually. Cygwin is not affected by this problem.
I believe the biggest problem is thinking that configuration and interprocess communication were somehow related since they both are a “bag of properties”. I mitigate this in my own designs by using lower-case environment variables for my own configuration – it “looks weird” to people, and occasionally I see other programmers send me patches that “fix” the case of my variables, but then I point out that my implementation of http_proxy was always immune to this attack, back in the 1990s.
Ruby is not at risk http://ruby-doc.org/stdlib-2.3.1/libdoc/uri/rdoc/URI/Generic.html#method-i-find_proxy