[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts
Hans-Peter Jansen
report at bugs.python.org
Wed Aug 3 07:15:23 EDT 2016
Hans-Peter Jansen added the comment:
> (In msg271688, I pondered if I need to backport a behavior change from issue26804 which will allow lower cased proxies, but then, I decided against it as it will introduce unnecessary changes to this security fix releases).
Hmm, Senthil, while I understand, that you want to avoid unnecessary changes, doesn't this result in non deterministic behaviour of proxy handling without my patch?
+ header. If you need to use an HTTP proxy in a CGI environment, either use
+ ``ProxyHandler`` explicitly, or make sure the variable name is in
+ lowercase (or at least the ``_proxy`` suffix).
Without 26804, this fix works by chance only for 3.3 and 3.4, since it depends on os.environ dictionary order, which is non deterministic by definition. 26804 resolves this by making sure, a lower case _proxy var has a higher priority over the other variants.
----------
nosy: +frispete
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue27568>
_______________________________________
More information about the Python-bugs-list
mailing list