[New-bugs-announce] [issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

Rémi Rampin report at bugs.python.org
Mon Jul 18 18:30:13 EDT 2016


New submission from Rémi Rampin:

https://httpoxy.org/

It is possible to set the HTTP_PROXY in CGI scripts by passing the Proxy header. If the script is a Python script and downloads files, urllib will happily use the attacker-supplied proxy to make requests.

This should be mitigated like it is in Perl (since 2001), Ruby, and libraries like curl.

See also: bug against python-requests https://github.com/kennethreitz/requests/issues/3422

----------
components: Library (Lib)
messages: 270795
nosy: remram
priority: normal
severity: normal
status: open
title: "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts
type: enhancement

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue27568>
_______________________________________


More information about the New-bugs-announce mailing list