[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts
Senthil Kumaran
report at bugs.python.org
Sat Aug 6 14:06:11 EDT 2016
Senthil Kumaran added the comment:
Hi Hans-Peter,
In 3.3 (95b09ccc8a3e) and 3.4 (3c19023c9fec) the change completely removes any variant of http_proxy if REQUEST_METHOD is set. The only way to have http based proxy in cgi environment by using ProxyHandler method. This is solution introduced for the security fix.
If I backport your patch from issue26804, I imagined that we will be introducing a new feature for other environment variables like NO_PROXY, which folks might be prepared for in the security fix release. That was my concern in not making the other change. Hope this reasoning helps.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue27568>
_______________________________________
More information about the Python-bugs-list
mailing list