Prevent HTTPoxy attack (CVE-2016-1000110)

Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates that the script is in CGI mode. Issue #27568 Reported and patch contributed by Rémi Rampin.
author: Senthil Kumaran <senthil@uthcode.com> 2016-07-31 06:24:16 (GMT)
committer: Senthil Kumaran <senthil@uthcode.com> 2016-07-31 06:24:16 (GMT)
commit: 4cbb23f8f278fd1f71dcd5968aa0b3f0b4f3bd5d (patch)
tree: 6b9afcfb2dbbcaba109a7b00785f711af576c538 /Misc/NEWS
parent: d27a7c1f22b263a3eef5d380c7058c993bd3a451 (diff)
download: cpython-4cbb23f8f278fd1f71dcd5968aa0b3f0b4f3bd5d.zip
cpython-4cbb23f8f278fd1f71dcd5968aa0b3f0b4f3bd5d.tar.gz
cpython-4cbb23f8f278fd1f71dcd5968aa0b3f0b4f3bd5d.tar.bz2
1 files changed, 4 insertions, 0 deletions
diff --git a/Misc/NEWS b/Misc/NEWS
index ef5bdc8..e9a8f28 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -29,6 +29,10 @@ Core and Builtins
 Library
 -------
 
+- Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the
+  HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates
+  that the script is in CGI mode.
+
 - Issue #24521: Fix possible integer overflows in the pickle module.
 
 - Issue #22931: Allow '[' and ']' in cookie values.
author	Senthil Kumaran <senthil@uthcode.com>	2016-07-31 06:24:16 (GMT)
committer	Senthil Kumaran <senthil@uthcode.com>	2016-07-31 06:24:16 (GMT)
commit	4cbb23f8f278fd1f71dcd5968aa0b3f0b4f3bd5d (patch)
tree	6b9afcfb2dbbcaba109a7b00785f711af576c538 /Misc/NEWS
parent	d27a7c1f22b263a3eef5d380c7058c993bd3a451 (diff)
download	cpython-4cbb23f8f278fd1f71dcd5968aa0b3f0b4f3bd5d.zip cpython-4cbb23f8f278fd1f71dcd5968aa0b3f0b4f3bd5d.tar.gz cpython-4cbb23f8f278fd1f71dcd5968aa0b3f0b4f3bd5d.tar.bz2