yahns Ruby server user/dev discussion
 help / color / Atom feed
* [PATCH] extras/exec_cgi: fix for HTTPoxy vulnerability
@ 2016-08-05  7:01 Eric Wong
  0 siblings, 0 replies; only message in thread
From: Eric Wong @ 2016-08-05  7:01 UTC (permalink / raw)
  To: yahns-public

Bad clients may set the Proxy: header in the response and
cause any CGI programs we execute to use the value of that
header as the HTTP proxy.  This affects folks calling code
which respects the HTTP_PROXY environment variable in CGI
programs.

ref: https://httpoxy.org/
---
 extras/exec_cgi.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/extras/exec_cgi.rb b/extras/exec_cgi.rb
index 6bb40c1..b546e1f 100644
--- a/extras/exec_cgi.rb
+++ b/extras/exec_cgi.rb
@@ -86,6 +86,7 @@ def initialize(*args)
 
   # Calls the app
   def call(env)
+    env.delete('HTTP_PROXY') # ref: https://httpoxy.org/
     cgi_env = { "GATEWAY_INTERFACE" => "CGI/1.1" }
     PASS_VARS.each { |key| val = env[key] and cgi_env[key] = val }
     env.each { |key,val| cgi_env[key] = val if key =~ /\AHTTP_/ }
-- 
EW


^ permalink raw reply	[flat|nested] only message in thread

only message in thread, back to index

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-08-05  7:01 [PATCH] extras/exec_cgi: fix for HTTPoxy vulnerability Eric Wong

yahns Ruby server user/dev discussion

Archives are clonable:
	git clone --mirror https://yhbt.net/yahns-public
	git clone --mirror http://ou63pmih66umazou.onion/yahns-public

Example config snippet for mirrors

Newsgroups are available over NNTP:
	nntp://news.public-inbox.org/inbox.comp.lang.ruby.yahns
	nntp://ou63pmih66umazou.onion/inbox.comp.lang.ruby.yahns

 note: .onion URLs require Tor: https://www.torproject.org/

AGPL code for this site: git clone https://public-inbox.org/ public-inbox