On Fri, Jul 22, 2016 at 11:57 AM, Perry E. Metzger <perry@piermont.com> wrote:
On Tue, 19 Jul 2016 17:25:00 -0400 Jim Popovitch <jimpop@gmail.com> wrote:
On Tue, Jul 19, 2016 at 5:10 PM, Perry E. Metzger <perry@piermont.com> wrote:
https://httpoxy.org/ seems to impact any python program (among many others) that runs under cgi. Does it cause trouble for mailman? What is a reasonable mitigation?
If I understand the issue correctly (and admittedly It's kinda a new issue) this only affects proxied HTTP transactions, not HTTPS ones.
That is incorrect, so far as I can tell.
According to httpoxy.org, HTTPS is not affected by HTTP_PROXY statements.
"And, of course, another defense-in-depth strategy that works is to
use HTTPS for internal requests, not just for securing your site’s
connections to the outside world. Those aren’t affected by HTTP_PROXY."
Of course, that's if you are using a very complicated split-mailman setup (web on one system, other parts on other hosts), If not, then what in your httpd.conf is would be proxying? And if nothing is proxying, then why haven't you already disabled proxy statements? Are you running anything else on the mailman server, PHP, etc?
-Jim P.