Author remram
Recipients remram
Date 2016-07-18.22:30:13
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1468881013.81.0.152859673137.issue27568@psf.upfronthosting.co.za>
In-reply-to
Content
https://httpoxy.org/

It is possible to set the HTTP_PROXY in CGI scripts by passing the Proxy header. If the script is a Python script and downloads files, urllib will happily use the attacker-supplied proxy to make requests.

This should be mitigated like it is in Perl (since 2001), Ruby, and libraries like curl.

See also: bug against python-requests https://github.com/kennethreitz/requests/issues/3422
History
Date User Action Args
2016-07-18 22:30:13remramsetrecipients: + remram
2016-07-18 22:30:13remramsetmessageid: <1468881013.81.0.152859673137.issue27568@psf.upfronthosting.co.za>
2016-07-18 22:30:13remramlinkissue27568 messages
2016-07-18 22:30:13remramcreate