Index: branches/5.2.x/core/kernel/utility/http_query.php
===================================================================
diff -u -N -r16560 -r16589
--- branches/5.2.x/core/kernel/utility/http_query.php	(.../http_query.php)	(revision 16560)
+++ branches/5.2.x/core/kernel/utility/http_query.php	(.../http_query.php)	(revision 16589)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: http_query.php 16560 2017-07-16 13:17:03Z alex $
+* @version	$Id: http_query.php 16589 2017-07-19 07:41:29Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -99,21 +99,25 @@
 	protected $_trustProxy = false;
 
 	/**
-	 * Loads info from $_POST, $_GET and
-	 * related arrays into common place
+	 * Loads info from $_POST, $_GET and related arrays into common place.
 	 *
-	 * @param string $order
-	 * @access public
+	 * @param string $order Order.
+	 *
+	 * @throws RuntimeException When "Proxy" header is present in Web Request.
 	 */
 	public function __construct($order = 'CGPF')
 	{
 		parent::__construct();
 
 		$this->Order = $order;
 
-		if ( isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest') {
-			// when AJAX request is made from jQuery, then create ajax variable,
-			// so any logic based in it (like redirects) will not break down
+		if ( isset($_SERVER['HTTP_PROXY']) && PHP_SAPI !== 'cli' ) {
+			throw new RuntimeException('Web Requests with "Proxy" header are forbidden.');
+		}
+
+		if ( isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest' ) {
+			// When AJAX request is made from jQuery, then create ajax variable,
+			// so any logic based in it (like redirects) will not break down.
 			$_GET['ajax'] = 'yes';
 		}