From 14cf126de0fc60a1bdb746d46dbefce2f4d3a77f Mon Sep 17 00:00:00 2001
From: Remi Rampin <remirampin@gmail.com>
Date: Mon, 18 Jul 2016 18:24:53 -0400
Subject: [PATCH] HTTPoxy mitigation for urllib

If we are running as a CGI script ('REQUEST_METHOD' environment variable
is set), getproxies_environment() should ignore an uppercase HTTP_PROXY
environment variable (still accept lowercase HTTP_proxy or http_proxy).

This is because such a variable can be set by an attacker sending a
"Proxy:" header, possibly to a proxy under their control.
---
 Lib/urllib/request.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
index 1731fe3..9d4cb33 100644
--- a/Lib/urllib/request.py
+++ b/Lib/urllib/request.py
@@ -2412,6 +2412,11 @@ def getproxies_environment():
         name = name.lower()
         if value and name[-6:] == '_proxy':
             proxies[name[:-6]] = value
+    # If we are running as CGI script, forget HTTP_PROXY (uppercase) as it
+    # may be set from the web server by a "Proxy:" header from the client
+    # If lowercase, it will still be used thanks to the next block
+    if 'REQUEST_METHOD' in os.environ:
+        proxies.pop('http_proxy', None)
     for name, value in os.environ.items():
         if name[-6:] == '_proxy':
             name = name.lower()
-- 
2.9.1