From 8262994e7ee27b0e3cdc9e62516d3940fd060f34 Mon Sep 17 00:00:00 2001
From: Remi Rampin <remirampin@gmail.com>
Date: Mon, 18 Jul 2016 18:20:30 -0400
Subject: [PATCH] HTTPoxy mitigation for urllib

If we are running as a CGI script ('REQUEST_METHOD' environment variable
is set), getproxies_environment() should ignore an uppercase HTTP_PROXY
environment variable (still accept lowercase HTTP_proxy or http_proxy).

This is because such a variable can be set by an attacker sending a
"Proxy:" header, possibly to a proxy under their control.
---
 Lib/urllib.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/Lib/urllib.py b/Lib/urllib.py
index 139fab9..34e7441 100644
--- a/Lib/urllib.py
+++ b/Lib/urllib.py
@@ -1380,12 +1380,20 @@ def getproxies_environment():
     If you need a different way, you can pass a proxies dictionary to the
     [Fancy]URLopener constructor.
     """
+    # Get all variables
     proxies = {}
     for name, value in os.environ.items():
         name = name.lower()
         if value and name[-6:] == '_proxy':
             proxies[name[:-6]] = value
 
+    # If we are running as CGI script, forget HTTP_PROXY (uppercase) as it
+    # may be set from the web server by a "Proxy:" header from the client
+    # If lowercase, it will still be used thanks to the next block
+    if 'REQUEST_METHOD' in os.environ:
+        proxies.pop('http_proxy', None)
+
+    # Get lowercase variables
     for name, value in os.environ.items():
         if name[-6:] == '_proxy':
             name = name.lower()
-- 
2.9.1