Issue #2783079 by david_garcia, alexpott: DRUPAL-SA-CORE-2016-003 Completely broke IIS drupal deployments

2016-09-22 21:52:14 +01:00 · 2016-09-22 21:52:14 +01:00 · fe1eb450f2
parent 1c940d7240
commit fe1eb450f2
2 changed files with 38 additions and 2 deletions
--- a/core/modules/system/system.install
+++ b/core/modules/system/system.install
@ -833,6 +833,39 @@ function system_requirements($phase) {
    }
  }

+  // Warning for httpoxy on IIS with affected PHP versions
+  // @see https://www.drupal.org/node/2783079
+  if (strpos($software, 'Microsoft-IIS') !== FALSE
+    && (
+    version_compare(PHP_VERSION, '5.5.38', '<')
+    || (version_compare(PHP_VERSION, '5.6.0', '>=') && version_compare(PHP_VERSION, '5.6.24', '<'))
+    || (version_compare(PHP_VERSION, '7.0.0', '>=') && version_compare(PHP_VERSION, '7.0.9', '<'))
+    )) {
+    $dom = new \DOMDocument('1.0', 'UTF-8');
+    $webconfig = file_get_contents('web.config');
+    // If you are here the web.config file must - of course - be well formed.
+    // But the PHP DOM component will throw warnings on some XML compliant
+    // stuff, so silently parse the configuration file.
+    @$dom->loadHTML($webconfig);
+    $httpoxy_rewrite = FALSE;
+    foreach ($dom->getElementsByTagName('rule') as $rule) {
+      foreach ($rule->attributes as $attr) {
+        if (@$attr->name == 'name' && @$attr->nodeValue == 'Erase HTTP_PROXY') {
+          $httpoxy_rewrite = TRUE;
+          break 2;
+        }
+      }
+    }
+    if (!$httpoxy_rewrite) {
+      $requirements['iis_httpoxy_protection'] = [
+        'title' => t('IIS httpoxy protection'),
+        'value' => t('Your PHP runtime version is affected by the httpoxy vulnerability.'),
+        'description' => t('Either update your PHP runtime version or uncomment the "Erase HTTP_PROXY" rule in your web.config file and add HTTP_PROXY to the allowed headers list. See more details in the <a href=":link">security advisory</a>.', [':link' => 'https://www.drupal.org/SA-CORE-2016-003']),
+        'severity' => REQUIREMENT_ERROR,
+      ];
+    }
+  }
+
  return $requirements;
 }

--- a/web.config
+++ b/web.config
@ -33,7 +33,10 @@
            <add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
          </conditions>
        </rule>
-
+     <!-- If running on a PHP version affected by httpoxy vulnerability
+      uncomment the following rule to mitigate it's impact. To make this
+      rule work, you will also need to add HTTP_PROXY to the allowed server
+      variables manually in IIS. See https://www.drupal.org/node/2783079.
        <rule name="Erase HTTP_PROXY" patternSyntax="Wildcard">
          <match url="*.*" />
          <serverVariables>
@ -41,7 +44,7 @@
          </serverVariables>
          <action type="None" />
        </rule>
-
+    -->
    <!-- To redirect all users to access the site WITH the 'www.' prefix,
     http://example.com/foo will be redirected to http://www.example.com/foo)
     adapt and uncomment the following:   -->