Message 270795 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	remram
Recipients	remram
Date	2016-07-18.22:30:13
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1468881013.81.0.152859673137.issue27568@psf.upfronthosting.co.za>
In-reply-to

Content
https://httpoxy.org/ It is possible to set the HTTP_PROXY in CGI scripts by passing the Proxy header. If the script is a Python script and downloads files, urllib will happily use the attacker-supplied proxy to make requests. This should be mitigated like it is in Perl (since 2001), Ruby, and libraries like curl. See also: bug against python-requests https://github.com/kennethreitz/requests/issues/3422

https://httpoxy.org/

It is possible to set the HTTP_PROXY in CGI scripts by passing the Proxy header. If the script is a Python script and downloads files, urllib will happily use the attacker-supplied proxy to make requests.

This should be mitigated like it is in Perl (since 2001), Ruby, and libraries like curl.

See also: bug against python-requests https://github.com/kennethreitz/requests/issues/3422

History
Date	User	Action	Args
2016-07-18 22:30:13	remram	set	recipients: + remram
2016-07-18 22:30:13	remram	set	messageid: <1468881013.81.0.152859673137.issue27568@psf.upfronthosting.co.za>
2016-07-18 22:30:13	remram	link	issue27568 messages
2016-07-18 22:30:13	remram	create