PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18
namespace conflicts and therefore does not protect applications from the
presence of untrusted client data in the HTTP_PROXY environment variable,
which might allow remote attackers to redirect an application's outbound
HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an
HTTP request, as demonstrated by (1) an application that makes a
getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an
"httpoxy" issue.
More Information

Updated: 2019-01-14 22:27:09 UTC (commit 51f9b73af244ba86b9321e46e526586c25a8e060)