Merge r1753228 from trunk:

                                                         -*- coding: utf-8 -*-

Changes with Apache 2.2.32

  *) core: CVE-2016-5387: Mitigate [f]cgi "httpoxy" issues.

     [Dominic Scheirlinck <dominic vendhq.com>, Yann Ylavic]

  *) mod_ssl: Fix a possible memory leak on restart for custom [EC]DH params.

     [Jan Kaluza, Yann Ylavic]

PATCHES ACCEPTED TO BACKPORT FROM TRUNK:

  [ start all new proposals below, under PATCHES PROPOSED. ]

  *) core: CVE-2016-5387: Mitigate [f]cgi "httpoxy" issues

      Trunk version of patch:

         http://svn.apache.org/viewvc?rev=1753228&view=rev

      Backport version for 2.4.x of patch:

         Trunk version of patch works (modulo CHANGES)

      +1: wrowe, rpluem, ylavic

  *) mod_mem_cache: Don't cache incomplete responses when the client aborts

                    the connection, unless they are complete.  PR 45049.

     Not applicable to trunk, mod_mem_cache doesn't exist there.

#

DefaultType text/plain

<IfModule headers_module>

    #

    # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied

    # backend servers which have lingering "httpoxy" defects.

    # 'Proxy' request header is undefined by the IETF, not listed by IANA

    #

    RequestHeader unset Proxy early

</IfModule>

<IfModule mime_module>

    #

    # TypesConfig points to the file containing the list of mappings from

        else if (!strcasecmp(hdrs[i].key, "Content-length")) {

            apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);

        }

        /* HTTP_PROXY collides with a popular envvar used to configure

         * proxies, don't let clients set/override it.  But, if you must...

         */

#ifndef SECURITY_HOLE_PASS_PROXY

        else if (!strcasecmp(hdrs[i].key, "Proxy")) {

            ;

        }

#endif

        /*

         * You really don't want to disable this check, since it leaves you

         * wide open to CGIs stealing passwords and people viewing them