summaryrefslogtreecommitdiffstats
path: root/Lib/urllib
diff options
context:
space:
mode:
authorSenthil Kumaran <senthil@uthcode.com>2016-07-31 06:39:06 (GMT)
committerSenthil Kumaran <senthil@uthcode.com>2016-07-31 06:39:06 (GMT)
commit17742f2d45c9dd7ca777e33601a26e80576fdbf6 (patch)
treef83a9638dd08398dd1c93e4941a794a836b67f8c /Lib/urllib
parent3a32bdfaa7494bfc172b04bdb1c8159978af8d42 (diff)
parent436fe5a447abb69e5e5a4f453325c422af02dcaa (diff)
downloadcpython-17742f2d45c9dd7ca777e33601a26e80576fdbf6.zip
cpython-17742f2d45c9dd7ca777e33601a26e80576fdbf6.tar.gz
cpython-17742f2d45c9dd7ca777e33601a26e80576fdbf6.tar.bz2
[merge from 3.4] - Prevent HTTPoxy attack (CVE-2016-1000110)
Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates that the script is in CGI mode. Issue #27568 Reported and patch contributed by RĂ©mi Rampin.
Diffstat (limited to 'Lib/urllib')
-rw-r--r--Lib/urllib/request.py6
1 files changed, 6 insertions, 0 deletions
diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
index 1731fe3..3be327d 100644
--- a/Lib/urllib/request.py
+++ b/Lib/urllib/request.py
@@ -2412,6 +2412,12 @@ def getproxies_environment():
name = name.lower()
if value and name[-6:] == '_proxy':
proxies[name[:-6]] = value
+ # CVE-2016-1000110 - If we are running as CGI script, forget HTTP_PROXY
+ # (non-all-lowercase) as it may be set from the web server by a "Proxy:"
+ # header from the client
+ # If "proxy" is lowercase, it will still be used thanks to the next block
+ if 'REQUEST_METHOD' in os.environ:
+ proxies.pop('http', None)
for name, value in os.environ.items():
if name[-6:] == '_proxy':
name = name.lower()