diff --git a/.htaccess b/.htaccess
index f4024c632ac6d117bfbaf3e816878574db8dc98c..4716fa12c8cb1f0caac10eebdb946c4dff28ce66 100644
--- a/.htaccess
+++ b/.htaccess
@@ -180,8 +180,10 @@ AddEncoding gzip svgz
-# Add headers to all responses.
+# Various header fixes.
# Disable content sniffing, since it's an attack vector.
Header always set X-Content-Type-Options nosniff
+ # Disable Proxy header, since it's an attack vector.
+ RequestHeader unset Proxy
diff --git a/composer.lock b/composer.lock
index 90b375c0f5bec3f7262fcfb4f6cfe0a4ffde1c6e..132fba5188265a4c9295c7ca2bb8f50f5d09ecf4 100644
--- a/composer.lock
+++ b/composer.lock
@@ -678,32 +678,32 @@
},
{
"name": "guzzlehttp/guzzle",
- "version": "6.1.0",
+ "version": "6.2.1",
"source": {
"type": "git",
"url": "https://github.com/guzzle/guzzle.git",
- "reference": "66fd14b4d0b8f2389eaf37c5458608c7cb793a81"
+ "reference": "3f808fba627f2c5b69e2501217bf31af349c1427"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/guzzle/guzzle/zipball/66fd14b4d0b8f2389eaf37c5458608c7cb793a81",
- "reference": "66fd14b4d0b8f2389eaf37c5458608c7cb793a81",
+ "url": "https://api.github.com/repos/guzzle/guzzle/zipball/3f808fba627f2c5b69e2501217bf31af349c1427",
+ "reference": "3f808fba627f2c5b69e2501217bf31af349c1427",
"shasum": ""
},
"require": {
- "guzzlehttp/promises": "~1.0",
- "guzzlehttp/psr7": "~1.1",
- "php": ">=5.5.0"
+ "guzzlehttp/promises": "^1.0",
+ "guzzlehttp/psr7": "^1.3.1",
+ "php": ">=5.5"
},
"require-dev": {
"ext-curl": "*",
- "phpunit/phpunit": "~4.0",
- "psr/log": "~1.0"
+ "phpunit/phpunit": "^4.0",
+ "psr/log": "^1.0"
},
"type": "library",
"extra": {
"branch-alias": {
- "dev-master": "6.1-dev"
+ "dev-master": "6.2-dev"
}
},
"autoload": {
@@ -736,20 +736,20 @@
"rest",
"web service"
],
- "time": "2015-09-08 17:36:26"
+ "time": "2016-07-15 17:22:37"
},
{
"name": "guzzlehttp/promises",
- "version": "1.0.2",
+ "version": "1.2.0",
"source": {
"type": "git",
"url": "https://github.com/guzzle/promises.git",
- "reference": "97fe7210def29451ec74923b27e552238defd75a"
+ "reference": "c10d860e2a9595f8883527fa0021c7da9e65f579"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/guzzle/promises/zipball/97fe7210def29451ec74923b27e552238defd75a",
- "reference": "97fe7210def29451ec74923b27e552238defd75a",
+ "url": "https://api.github.com/repos/guzzle/promises/zipball/c10d860e2a9595f8883527fa0021c7da9e65f579",
+ "reference": "c10d860e2a9595f8883527fa0021c7da9e65f579",
"shasum": ""
},
"require": {
@@ -787,20 +787,20 @@
"keywords": [
"promise"
],
- "time": "2015-08-15 19:37:21"
+ "time": "2016-05-18 16:56:05"
},
{
"name": "guzzlehttp/psr7",
- "version": "1.2.0",
+ "version": "1.3.1",
"source": {
"type": "git",
"url": "https://github.com/guzzle/psr7.git",
- "reference": "4ef919b0cf3b1989523138b60163bbcb7ba1ff7e"
+ "reference": "5c6447c9df362e8f8093bda8f5d8873fe5c7f65b"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/guzzle/psr7/zipball/4ef919b0cf3b1989523138b60163bbcb7ba1ff7e",
- "reference": "4ef919b0cf3b1989523138b60163bbcb7ba1ff7e",
+ "url": "https://api.github.com/repos/guzzle/psr7/zipball/5c6447c9df362e8f8093bda8f5d8873fe5c7f65b",
+ "reference": "5c6447c9df362e8f8093bda8f5d8873fe5c7f65b",
"shasum": ""
},
"require": {
@@ -816,7 +816,7 @@
"type": "library",
"extra": {
"branch-alias": {
- "dev-master": "1.0-dev"
+ "dev-master": "1.4-dev"
}
},
"autoload": {
@@ -845,7 +845,7 @@
"stream",
"uri"
],
- "time": "2015-08-15 19:32:36"
+ "time": "2016-06-24 23:00:38"
},
{
"name": "ircmaxell/password-compat",
diff --git a/core/composer.json b/core/composer.json
index 550c7813d73473a1118a9d7ac0719e209641c0aa..2d58d79e1ea9f9d2950b74486c8ac92b0c604fae 100644
--- a/core/composer.json
+++ b/core/composer.json
@@ -21,7 +21,7 @@
"twig/twig": "^1.23.1",
"doctrine/common": "2.5.*",
"doctrine/annotations": "1.2.*",
- "guzzlehttp/guzzle": "~6.1",
+ "guzzlehttp/guzzle": "~6.2",
"symfony-cmf/routing": "~1.4",
"easyrdf/easyrdf": "0.9.*",
"zendframework/zend-feed": "~2.4",
diff --git a/core/lib/Drupal/Core/Http/ClientFactory.php b/core/lib/Drupal/Core/Http/ClientFactory.php
index a68f0851757f98132bd8976f1a77a489c45557a9..3dcf35374ebd2f81f6694f854a0ea3e1bc8c903c 100644
--- a/core/lib/Drupal/Core/Http/ClientFactory.php
+++ b/core/lib/Drupal/Core/Http/ClientFactory.php
@@ -52,6 +52,13 @@ public function fromOptions(array $config = []) {
'User-Agent' => 'Drupal/' . \Drupal::VERSION . ' (+https://www.drupal.org/) ' . \GuzzleHttp\default_user_agent(),
],
'handler' => $this->stack,
+ // Security consideration: prevent Guzzle from using environment variables
+ // to configure the outbound proxy.
+ 'proxy' => [
+ 'http' => NULL,
+ 'https' => NULL,
+ 'no' => [],
+ ]
];
$config = NestedArray::mergeDeep($default_config, Settings::get('http_client_config', []), $config);
diff --git a/sites/default/default.settings.php b/sites/default/default.settings.php
index 770a3a79a84f0a72b5e4c99079a3639031da8e91..d6d130e319d76dd4b810a4768830ceba7e5c0b91 100644
--- a/sites/default/default.settings.php
+++ b/sites/default/default.settings.php
@@ -325,9 +325,6 @@
*
* You can also define an array of host names that can be accessed directly,
* bypassing the proxy, in $settings['http_client_config']['proxy']['no'].
- *
- * If these settings are not configured, the system environment variables
- * HTTP_PROXY, HTTPS_PROXY, and NO_PROXY on the web server will be used instead.
*/
# $settings['http_client_config']['proxy']['http'] = 'http://proxy_user:proxy_pass@example.com:8080';
# $settings['http_client_config']['proxy']['https'] = 'http://proxy_user:proxy_pass@example.com:8080';
diff --git a/web.config b/web.config
index a0535a10db23e3245063b5390625b46cf349c594..562847125fa7e4b09d83d605af2684f9ab5ec5d7 100644
--- a/web.config
+++ b/web.config
@@ -34,6 +34,14 @@
+
+
+
+
+
+
+
+