httpoxy

[dominics]

Could you please check this project for the httpoxy.org vulnerability?

I'm particularly interested in this bit:

docker-lamp/ansible/roles/apache/templates/http_proxy.php

Line 4 in cc63ad3

if (getenv("http_proxy") !== false ) {

That file appears to be loaded as a prepend file before executing any PHP? But, did you realise that get_env is case-insensitive in many environments (such as mod_php?) - you may end up trusting the value of a Proxy header.

Apologies if it turns out you're unaffected. (But that'd be though pure luck, right?)