- add note here in light of CVE-2011-3368

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1179272 13f79535-47bb-0310-9956-ffa450edef68
author: Joe Orton <jorton@apache.org> 2011-10-05 17:40:08 +0200
committer: Joe Orton <jorton@apache.org> 2011-10-05 17:40:08 +0200
commit: 31d85243ba13abebc7df77de696c6418c29c3953 (patch)
tree: 4541622688213cb3ad7af582c86cccde4ad64d36 /docs/manual
parent: - add a security warning, and tweak the example, in light of CVE-2011-3368 (diff)
download: apache2-31d85243ba13abebc7df77de696c6418c29c3953.tar.xz
apache2-31d85243ba13abebc7df77de696c6418c29c3953.zip
1 files changed, 9 insertions, 0 deletions
diff --git a/docs/manual/mod/mod_proxy.xml b/docs/manual/mod/mod_proxy.xml
index 0254f29561..d694301e4a 100644
--- a/docs/manual/mod/mod_proxy.xml
+++ b/docs/manual/mod/mod_proxy.xml
@@ -1220,6 +1220,15 @@ expressions</description>
     <p>If you require a more flexible reverse-proxy configuration, see the
     <directive module="mod_rewrite">RewriteRule</directive> directive with the
     <code>[P]</code> flag.</p>
+
+    <note type="warning">
+      <title>Security Warning</title>
+      <p>Take care when constructing the target URL of the rule, considering
+        the security impact from allowing the client influence over the set of
+        URLs to which your server will act as a proxy.  Ensure that the scheme
+        and hostname part of the URL is either fixed, or does not allow the
+        client undue influence.</p>
+    </note>
 </usage>
 </directivesynopsis>
author	Joe Orton <jorton@apache.org>	2011-10-05 17:40:08 +0200
committer	Joe Orton <jorton@apache.org>	2011-10-05 17:40:08 +0200
commit	31d85243ba13abebc7df77de696c6418c29c3953 (patch)
tree	4541622688213cb3ad7af582c86cccde4ad64d36 /docs/manual
parent	- add a security warning, and tweak the example, in light of CVE-2011-3368 (diff)
download	apache2-31d85243ba13abebc7df77de696c6418c29c3953.tar.xz apache2-31d85243ba13abebc7df77de696c6418c29c3953.zip