diff options
author | Senthil Kumaran <senthil@uthcode.com> | 2016-07-31 06:39:06 (GMT) |
---|---|---|
committer | Senthil Kumaran <senthil@uthcode.com> | 2016-07-31 06:39:06 (GMT) |
commit | 17742f2d45c9dd7ca777e33601a26e80576fdbf6 (patch) | |
tree | f83a9638dd08398dd1c93e4941a794a836b67f8c /Lib/urllib | |
parent | 3a32bdfaa7494bfc172b04bdb1c8159978af8d42 (diff) | |
parent | 436fe5a447abb69e5e5a4f453325c422af02dcaa (diff) | |
download | cpython-17742f2d45c9dd7ca777e33601a26e80576fdbf6.zip cpython-17742f2d45c9dd7ca777e33601a26e80576fdbf6.tar.gz cpython-17742f2d45c9dd7ca777e33601a26e80576fdbf6.tar.bz2 |
[merge from 3.4] - Prevent HTTPoxy attack (CVE-2016-1000110)
Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which
indicates that the script is in CGI mode.
Issue #27568 Reported and patch contributed by RĂ©mi Rampin.
Diffstat (limited to 'Lib/urllib')
-rw-r--r-- | Lib/urllib/request.py | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py index 1731fe3..3be327d 100644 --- a/Lib/urllib/request.py +++ b/Lib/urllib/request.py @@ -2412,6 +2412,12 @@ def getproxies_environment(): name = name.lower() if value and name[-6:] == '_proxy': proxies[name[:-6]] = value + # CVE-2016-1000110 - If we are running as CGI script, forget HTTP_PROXY + # (non-all-lowercase) as it may be set from the web server by a "Proxy:" + # header from the client + # If "proxy" is lowercase, it will still be used thanks to the next block + if 'REQUEST_METHOD' in os.environ: + proxies.pop('http', None) for name, value in os.environ.items(): if name[-6:] == '_proxy': name = name.lower() |