Mercurial > p > roundup > code
changeset 5924:b40059d7036f
issue2550925 strip HTTP_PROXY environment variable
if deployed as CGI and client sends an http PROXY
header, the tainted HTTP_PROXY environment variable is created. It
can affect calls using requests package or curl. A roundup admin
would have to write detectors/extensions that use these mechanisms.
Not exploitable in default config.
See: https://httpoxy.org/
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sun, 13 Oct 2019 17:45:06 -0400 |
| parents | 45c691a81f75 |
| children | 7cf8f6389aad |
| files | CHANGES.txt roundup/cgi/client.py test/test_cgi.py |
| diffstat | 3 files changed, 26 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/CHANGES.txt Sun Oct 13 17:43:03 2019 -0400 +++ b/CHANGES.txt Sun Oct 13 17:45:06 2019 -0400 @@ -186,6 +186,12 @@ by John Rouillard. - issue2551066: IMAP mail handling wasn't working and produced a traceback. +- issue2550925 if deployed as CGI and client sends an http PROXY + header, the tainted HTTP_PROXY environment variable is created. It + can affect calls using requests package or curl. A roundup admin + would have to write detectors/extensions that use these mechanisms. + Not exploitable in default config. (John Rouillard) + 2018-07-13 1.6.0
--- a/roundup/cgi/client.py Sun Oct 13 17:43:03 2019 -0400 +++ b/roundup/cgi/client.py Sun Oct 13 17:45:06 2019 -0400 @@ -466,6 +466,14 @@ def main(self): """ Wrap the real main in a try/finally so we always close off the db. """ + + # strip HTTP_PROXY issue2550925 in case + # PROXY header is set. + if 'HTTP_PROXY' in self.env: + del(self.env['HTTP_PROXY']) + if 'HTTP_PROXY' in os.environ: + del(os.environ['HTTP_PROXY']) + xmlrpc_enabled = self.instance.config.WEB_ENABLE_XMLRPC rest_enabled = self.instance.config.WEB_ENABLE_REST try:
--- a/test/test_cgi.py Sun Oct 13 17:43:03 2019 -0400 +++ b/test/test_cgi.py Sun Oct 13 17:45:06 2019 -0400 @@ -830,6 +830,18 @@ out = pt.render(cl, 'issue', MockNull()) self.assertEqual(out, '<?xml version="1.0" encoding="UTF-8"?><feed\n xmlns="http://www.w3.org/2005/Atom"/>\n') + def testHttpProxyStrip(self): + os.environ['HTTP_PROXY'] = 'http://bad.news/here/' + cl = self.setupClient({ }, 'issue', + env_addon = {'HTTP_PROXY': 'http://bad.news/here/'}) + out = [] + def wh(s): + out.append(s) + cl.write_html = wh + cl.main() + self.assertFalse('HTTP_PROXY' in cl.env) + self.assertFalse('HTTP_PROXY' in os.environ) + def testCsrfProtection(self): # need to set SENDMAILDEBUG to prevent # downstream issue when email is sent on successful