Mercurial > p > roundup > code

diff roundup/cgi/client.py @ 5924:b40059d7036f

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
issue2550925 strip HTTP_PROXY environment variable if deployed as CGI and client sends an http PROXY header, the tainted HTTP_PROXY environment variable is created. It can affect calls using requests package or curl. A roundup admin would have to write detectors/extensions that use these mechanisms. Not exploitable in default config. See: https://httpoxy.org/
author John Rouillard <rouilj@ieee.org>
date Sun, 13 Oct 2019 17:45:06 -0400
parents 9938c40e03bc
children db9bd45d50ad
line wrap: on
line diff
--- a/roundup/cgi/client.py	Sun Oct 13 17:43:03 2019 -0400
+++ b/roundup/cgi/client.py	Sun Oct 13 17:45:06 2019 -0400
@@ -466,6 +466,14 @@
     def main(self):
         """ Wrap the real main in a try/finally so we always close off the db.
         """
+
+        # strip HTTP_PROXY issue2550925 in case
+        # PROXY header is set.
+        if 'HTTP_PROXY' in self.env:
+            del(self.env['HTTP_PROXY'])
+        if 'HTTP_PROXY' in os.environ:
+            del(os.environ['HTTP_PROXY'])
+
         xmlrpc_enabled = self.instance.config.WEB_ENABLE_XMLRPC
         rest_enabled   = self.instance.config.WEB_ENABLE_REST
         try:
Roundup Issue Tracker: http://roundup-tracker.org/