diff options
| author | Senthil Kumaran <senthil@uthcode.com> | 2016-07-30 12:49:53 (GMT) |
|---|---|---|
| committer | Senthil Kumaran <senthil@uthcode.com> | 2016-07-30 12:49:53 (GMT) |
| commit | 75d7b615ba70fc5759d16dee95bbd8f0474d8a9c (patch) | |
| tree | 6fedc2530db2160bf68039a3bf28b4fefbb39743 /Lib/urllib.py | |
| parent | a850ef698e55d07173051747e96207496c6f1bdb (diff) | |
| download | cpython-75d7b615ba70fc5759d16dee95bbd8f0474d8a9c.zip cpython-75d7b615ba70fc5759d16dee95bbd8f0474d8a9c.tar.gz cpython-75d7b615ba70fc5759d16dee95bbd8f0474d8a9c.tar.bz2 | |
Prevent HTTPoxy attack (CVE-2016-1000110)
Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which
indicates that the script is in CGI mode.
Issue reported and patch contributed by RĂ©mi Rampin.
Diffstat (limited to 'Lib/urllib.py')
| -rw-r--r-- | Lib/urllib.py | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/Lib/urllib.py b/Lib/urllib.py index 139fab9..c3ba2c9 100644 --- a/Lib/urllib.py +++ b/Lib/urllib.py @@ -1380,12 +1380,21 @@ def getproxies_environment(): If you need a different way, you can pass a proxies dictionary to the [Fancy]URLopener constructor. """ + # Get all variables proxies = {} for name, value in os.environ.items(): name = name.lower() if value and name[-6:] == '_proxy': proxies[name[:-6]] = value + # CVE-2016-1000110 - If we are running as CGI script, forget HTTP_PROXY + # (non-all-lowercase) as it may be set from the web server by a "Proxy:" + # header from the client + # If "proxy" is lowercase, it will still be used thanks to the next block + if 'REQUEST_METHOD' in os.environ: + proxies.pop('http', None) + + # Get lowercase variables for name, value in os.environ.items(): if name[-6:] == '_proxy': name = name.lower() |