Mercurial > p > roundup > code
diff test/test_cgi.py @ 5924:b40059d7036f
issue2550925 strip HTTP_PROXY environment variable
if deployed as CGI and client sends an http PROXY
header, the tainted HTTP_PROXY environment variable is created. It
can affect calls using requests package or curl. A roundup admin
would have to write detectors/extensions that use these mechanisms.
Not exploitable in default config.
See: https://httpoxy.org/
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sun, 13 Oct 2019 17:45:06 -0400 |
| parents | 26cd8e8bbed3 |
| children | fe334430ca07 |
line wrap: on
line diff
--- a/test/test_cgi.py Sun Oct 13 17:43:03 2019 -0400 +++ b/test/test_cgi.py Sun Oct 13 17:45:06 2019 -0400 @@ -830,6 +830,18 @@ out = pt.render(cl, 'issue', MockNull()) self.assertEqual(out, '<?xml version="1.0" encoding="UTF-8"?><feed\n xmlns="http://www.w3.org/2005/Atom"/>\n') + def testHttpProxyStrip(self): + os.environ['HTTP_PROXY'] = 'http://bad.news/here/' + cl = self.setupClient({ }, 'issue', + env_addon = {'HTTP_PROXY': 'http://bad.news/here/'}) + out = [] + def wh(s): + out.append(s) + cl.write_html = wh + cl.main() + self.assertFalse('HTTP_PROXY' in cl.env) + self.assertFalse('HTTP_PROXY' in os.environ) + def testCsrfProtection(self): # need to set SENDMAILDEBUG to prevent # downstream issue when email is sent on successful