From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <e@80x24.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on dcvr.yhbt.net
X-Spam-Level: 
X-Spam-ASN:  
X-Spam-Status: No, score=-4.0 required=3.0 tests=ALL_TRUSTED,BAYES_00
	shortcircuit=no autolearn=ham autolearn_force=no version=3.4.0
Received: from localhost (dcvr.yhbt.net [127.0.0.1])
	by dcvr.yhbt.net (Postfix) with ESMTP id B6C2520226
	for <yahns-public@yhbt.net>; Fri,  5 Aug 2016 07:01:08 +0000 (UTC)
From: Eric Wong <e@80x24.org>
To: yahns-public@yhbt.net
Subject: [PATCH] extras/exec_cgi: fix for HTTPoxy vulnerability
Date: Fri,  5 Aug 2016 07:01:08 +0000
Message-Id: <20160805070108.20590-1-e@80x24.org>
List-Id: <yahns-public@yhbt.net>

Bad clients may set the Proxy: header in the response and
cause any CGI programs we execute to use the value of that
header as the HTTP proxy.  This affects folks calling code
which respects the HTTP_PROXY environment variable in CGI
programs.

ref: https://httpoxy.org/
---
 extras/exec_cgi.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/extras/exec_cgi.rb b/extras/exec_cgi.rb
index 6bb40c1..b546e1f 100644
--- a/extras/exec_cgi.rb
+++ b/extras/exec_cgi.rb
@@ -86,6 +86,7 @@ def initialize(*args)
 
   # Calls the app
   def call(env)
+    env.delete('HTTP_PROXY') # ref: https://httpoxy.org/
     cgi_env = { "GATEWAY_INTERFACE" => "CGI/1.1" }
     PASS_VARS.each { |key| val = env[key] and cgi_env[key] = val }
     env.each { |key,val| cgi_env[key] = val if key =~ /\AHTTP_/ }
-- 
EW