[Mailman-Users] Is mailman vulnerable to the httpoxy bug?

Perry E. Metzger perry at piermont.com
Sat Jul 23 11:19:37 EDT 2016


On Fri, 22 Jul 2016 19:59:45 -0700 Mark Sapiro <mark at msapiro.net>
wrote:
> And Mailman 2.1's CGIs will do absolutely nothing with an HTTP_PROXY
> environment variable. They won't look for it even if it's there.
> They look at things like query strings and POST data to determine
> what to do and then they write HTML to stdout.

Well, there are implicit things that use HTTP_PROXY. If mailman makes
any http requests itself, or calls anything that does, it might cause
trouble that it is in the environment. I take it that this is *not*
the case?

(The problem is not that cgi scripts explicitly look at HTTP_PROXY,
it is that many things *implicitly* look at it.)

Perry
-- 
Perry E. Metzger		perry at piermont.com


More information about the Mailman-Users mailing list