* [PATCH] extras/exec_cgi: fix for HTTPoxy vulnerability
@ 2016-08-05 7:01 Eric Wong
0 siblings, 0 replies; only message in thread
From: Eric Wong @ 2016-08-05 7:01 UTC (permalink / raw)
To: yahns-public
Bad clients may set the Proxy: header in the response and
cause any CGI programs we execute to use the value of that
header as the HTTP proxy. This affects folks calling code
which respects the HTTP_PROXY environment variable in CGI
programs.
ref: https://httpoxy.org/
---
| 1 +
1 file changed, 1 insertion(+)
--git a/extras/exec_cgi.rb b/extras/exec_cgi.rb
index 6bb40c1..b546e1f 100644
--- a/extras/exec_cgi.rb
+++ b/extras/exec_cgi.rb
@@ -86,6 +86,7 @@ def initialize(*args)
# Calls the app
def call(env)
+ env.delete('HTTP_PROXY') # ref: https://httpoxy.org/
cgi_env = { "GATEWAY_INTERFACE" => "CGI/1.1" }
PASS_VARS.each { |key| val = env[key] and cgi_env[key] = val }
env.each { |key,val| cgi_env[key] = val if key =~ /\AHTTP_/ }
--
EW
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2016-08-05 7:01 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-08-05 7:01 [PATCH] extras/exec_cgi: fix for HTTPoxy vulnerability Eric Wong
Code repositories for project(s) associated with this public inbox
http://yhbt.net/yahns.git/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).