Mercurial > p > roundup > code

diff CHANGES.txt @ 5924:b40059d7036f

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
issue2550925 strip HTTP_PROXY environment variable if deployed as CGI and client sends an http PROXY header, the tainted HTTP_PROXY environment variable is created. It can affect calls using requests package or curl. A roundup admin would have to write detectors/extensions that use these mechanisms. Not exploitable in default config. See: https://httpoxy.org/
author John Rouillard <rouilj@ieee.org>
date Sun, 13 Oct 2019 17:45:06 -0400
parents 7264b2e79a31
children 94c415c7cd36
line wrap: on
line diff
--- a/CHANGES.txt	Sun Oct 13 17:43:03 2019 -0400
+++ b/CHANGES.txt	Sun Oct 13 17:45:06 2019 -0400
@@ -186,6 +186,12 @@
   by John Rouillard.
 - issue2551066: IMAP mail handling wasn't working and produced a
   traceback.
+- issue2550925 if deployed as CGI and client sends an http PROXY
+  header, the tainted HTTP_PROXY environment variable is created. It
+  can affect calls using requests package or curl. A roundup admin
+  would have to write detectors/extensions that use these mechanisms.
+  Not exploitable in default config. (John Rouillard)
+
 
 2018-07-13 1.6.0
Roundup Issue Tracker: http://roundup-tracker.org/