[merge from 3.4] - Prevent HTTPoxy attack (CVE-2016-1000110)

Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates that the script is in CGI mode. Issue #27568 Reported and patch contributed by Rémi Rampin.
author: Senthil Kumaran <senthil@uthcode.com> 2016-07-31 06:39:06 (GMT)
committer: Senthil Kumaran <senthil@uthcode.com> 2016-07-31 06:39:06 (GMT)
commit: 17742f2d45c9dd7ca777e33601a26e80576fdbf6 (patch)
tree: f83a9638dd08398dd1c93e4941a794a836b67f8c /Misc
parent: 3a32bdfaa7494bfc172b04bdb1c8159978af8d42 (diff)
parent: 436fe5a447abb69e5e5a4f453325c422af02dcaa (diff)
download: cpython-17742f2d45c9dd7ca777e33601a26e80576fdbf6.zip
cpython-17742f2d45c9dd7ca777e33601a26e80576fdbf6.tar.gz
cpython-17742f2d45c9dd7ca777e33601a26e80576fdbf6.tar.bz2
1 files changed, 4 insertions, 0 deletions
diff --git a/Misc/NEWS b/Misc/NEWS
index 6b2b419..efe9b28 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -34,6 +34,10 @@ Core and Builtins
 Library
 -------
 
+- Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the
+  HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates
+  that the script is in CGI mode.
+
 - Issue #27130: In the "zlib" module, fix handling of large buffers
   (typically 4 GiB) when compressing and decompressing.  Previously, inputs
   were limited to 4 GiB, and compression and decompression operations did not
author	Senthil Kumaran <senthil@uthcode.com>	2016-07-31 06:39:06 (GMT)
committer	Senthil Kumaran <senthil@uthcode.com>	2016-07-31 06:39:06 (GMT)
commit	17742f2d45c9dd7ca777e33601a26e80576fdbf6 (patch)
tree	f83a9638dd08398dd1c93e4941a794a836b67f8c /Misc
parent	3a32bdfaa7494bfc172b04bdb1c8159978af8d42 (diff)
parent	436fe5a447abb69e5e5a4f453325c422af02dcaa (diff)
download	cpython-17742f2d45c9dd7ca777e33601a26e80576fdbf6.zip cpython-17742f2d45c9dd7ca777e33601a26e80576fdbf6.tar.gz cpython-17742f2d45c9dd7ca777e33601a26e80576fdbf6.tar.bz2