[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts
Rémi Rampin
report at bugs.python.org
Mon Jul 18 18:30:13 EDT 2016
New submission from Rémi Rampin:
https://httpoxy.org/
It is possible to set the HTTP_PROXY in CGI scripts by passing the Proxy header. If the script is a Python script and downloads files, urllib will happily use the attacker-supplied proxy to make requests.
This should be mitigated like it is in Perl (since 2001), Ruby, and libraries like curl.
See also: bug against python-requests https://github.com/kennethreitz/requests/issues/3422
----------
components: Library (Lib)
messages: 270795
nosy: remram
priority: normal
severity: normal
status: open
title: "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts
type: enhancement
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue27568>
_______________________________________
More information about the Python-bugs-list
mailing list