Mercurial Repository: p/roundup/code: test/test

comparison test/test_cgi.py @ 5924:b40059d7036f

issue2550925 strip HTTP_PROXY environment variable if deployed as CGI and client sends an http PROXY header, the tainted HTTP_PROXY environment variable is created. It can affect calls using requests package or curl. A roundup admin would have to write detectors/extensions that use these mechanisms. Not exploitable in default config. See: https://httpoxy.org/

author	John Rouillard <rouilj@ieee.org>
date	Sun, 13 Oct 2019 17:45:06 -0400
parents	26cd8e8bbed3
children	fe334430ca07

comparison

equal deleted inserted replaced

-:45c691a81f75
+:b40059d7036f
 cl = self.setupClient({ }, 'issue',
 env_addon = {'HTTP_REFERER': 'http://whoami.com/path/'})
 out = pt.render(cl, 'issue', MockNull())
 self.assertEqual(out, '<?xml version="1.0" encoding="UTF-8"?><feed\n    xmlns="http://www.w3.org/2005/Atom"/>\n')
+def testHttpProxyStrip(self):
+os.environ['HTTP_PROXY'] = 'http://bad.news/here/'
+cl = self.setupClient({ }, 'issue',
+env_addon = {'HTTP_PROXY': 'http://bad.news/here/'})
+out = []
+def wh(s):
+out.append(s)
+cl.write_html = wh
+cl.main()
+self.assertFalse('HTTP_PROXY' in cl.env)
+self.assertFalse('HTTP_PROXY' in os.environ)
 def testCsrfProtection(self):
 # need to set SENDMAILDEBUG to prevent
 # downstream issue when email is sent on successful
 # issue creation. Also delete the file afterwards
 # just tomake sure that someother test looking for

Mercurial > p > roundup > code

comparison test/test_cgi.py @ 5924:b40059d7036f