yahns Ruby server user/dev discussion
 help / color / mirror / Atom feed
* [PATCH] extras/exec_cgi: fix for HTTPoxy vulnerability
@ 2016-08-05  7:01 Eric Wong
  0 siblings, 0 replies; only message in thread
From: Eric Wong @ 2016-08-05  7:01 UTC (permalink / raw)
  To: yahns-public

Bad clients may set the Proxy: header in the response and
cause any CGI programs we execute to use the value of that
header as the HTTP proxy.  This affects folks calling code
which respects the HTTP_PROXY environment variable in CGI
programs.

ref: https://httpoxy.org/
---
 extras/exec_cgi.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/extras/exec_cgi.rb b/extras/exec_cgi.rb
index 6bb40c1..b546e1f 100644
--- a/extras/exec_cgi.rb
+++ b/extras/exec_cgi.rb
@@ -86,6 +86,7 @@ def initialize(*args)
 
   # Calls the app
   def call(env)
+    env.delete('HTTP_PROXY') # ref: https://httpoxy.org/
     cgi_env = { "GATEWAY_INTERFACE" => "CGI/1.1" }
     PASS_VARS.each { |key| val = env[key] and cgi_env[key] = val }
     env.each { |key,val| cgi_env[key] = val if key =~ /\AHTTP_/ }
-- 
EW


^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2016-08-05  7:01 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-08-05  7:01 [PATCH] extras/exec_cgi: fix for HTTPoxy vulnerability Eric Wong

yahns Ruby server user/dev discussion

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://yhbt.net/yahns-public
	git clone --mirror http://ou63pmih66umazou.onion/yahns-public

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V1 yahns-public yahns-public/ https://yhbt.net/yahns-public \
		yahns-public@yhbt.net yahns-public@rubyforge.org
	public-inbox-index yahns-public

Example config snippet for mirrors.
Newsgroups are available over NNTP:
	nntp://news.public-inbox.org/inbox.comp.lang.ruby.yahns
	nntp://ou63pmih66umazou.onion/inbox.comp.lang.ruby.yahns
 note: .onion URLs require Tor: https://www.torproject.org/

code repositories for the project(s) associated with this inbox:

	yahns.git

AGPL code for this site: git clone https://public-inbox.org/public-inbox.git