Mercurial > p > roundup > code
comparison roundup/cgi/client.py @ 5924:b40059d7036f
issue2550925 strip HTTP_PROXY environment variable
if deployed as CGI and client sends an http PROXY
header, the tainted HTTP_PROXY environment variable is created. It
can affect calls using requests package or curl. A roundup admin
would have to write detectors/extensions that use these mechanisms.
Not exploitable in default config.
See: https://httpoxy.org/
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sun, 13 Oct 2019 17:45:06 -0400 |
| parents | 9938c40e03bc |
| children | db9bd45d50ad |
comparison
equal
deleted
inserted
replaced
| 5923:45c691a81f75 | 5924:b40059d7036f |
|---|---|
| 464 self.ngettext = translator.ngettext | 464 self.ngettext = translator.ngettext |
| 465 | 465 |
| 466 def main(self): | 466 def main(self): |
| 467 """ Wrap the real main in a try/finally so we always close off the db. | 467 """ Wrap the real main in a try/finally so we always close off the db. |
| 468 """ | 468 """ |
| 469 | |
| 470 # strip HTTP_PROXY issue2550925 in case | |
| 471 # PROXY header is set. | |
| 472 if 'HTTP_PROXY' in self.env: | |
| 473 del(self.env['HTTP_PROXY']) | |
| 474 if 'HTTP_PROXY' in os.environ: | |
| 475 del(os.environ['HTTP_PROXY']) | |
| 476 | |
| 469 xmlrpc_enabled = self.instance.config.WEB_ENABLE_XMLRPC | 477 xmlrpc_enabled = self.instance.config.WEB_ENABLE_XMLRPC |
| 470 rest_enabled = self.instance.config.WEB_ENABLE_REST | 478 rest_enabled = self.instance.config.WEB_ENABLE_REST |
| 471 try: | 479 try: |
| 472 if xmlrpc_enabled and self.path == 'xmlrpc': | 480 if xmlrpc_enabled and self.path == 'xmlrpc': |
| 473 self.handle_xmlrpc() | 481 self.handle_xmlrpc() |