diff options
| author | Eric Wong <e@80x24.org> | 2016-08-05 06:57:37 +0000 |
|---|---|---|
| committer | Eric Wong <e@80x24.org> | 2016-08-05 06:57:37 +0000 |
| commit | 90daf4b0713cc2f683c59901f2512f95e9117015 (patch) | |
| tree | 90b1efeff5a26614b202bb2f6ae8fdce5a2b3a3a | |
| parent | 013d24d62f65368a2f6fdeef2e4680c5345e6992 (diff) | |
| download | yahns-90daf4b0713cc2f683c59901f2512f95e9117015.tar.gz | |
Bad clients may set the Proxy: header in the response and cause any CGI programs we execute to use the value of that header as the HTTP proxy. This affects folks calling code which respects the HTTP_PROXY environment variable in CGI programs. ref: https://httpoxy.org/
| -rw-r--r-- | extras/exec_cgi.rb | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/extras/exec_cgi.rb b/extras/exec_cgi.rb index 6bb40c1..b546e1f 100644 --- a/extras/exec_cgi.rb +++ b/extras/exec_cgi.rb @@ -86,6 +86,7 @@ class ExecCgi # Calls the app def call(env) + env.delete('HTTP_PROXY') # ref: https://httpoxy.org/ cgi_env = { "GATEWAY_INTERFACE" => "CGI/1.1" } PASS_VARS.each { |key| val = env[key] and cgi_env[key] = val } env.each { |key,val| cgi_env[key] = val if key =~ /\AHTTP_/ } |