This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author remram
Recipients remram
Date 2016-07-18.22:30:13
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>

It is possible to set the HTTP_PROXY in CGI scripts by passing the Proxy header. If the script is a Python script and downloads files, urllib will happily use the attacker-supplied proxy to make requests.

This should be mitigated like it is in Perl (since 2001), Ruby, and libraries like curl.

See also: bug against python-requests
Date User Action Args
2016-07-18 22:30:13remramsetrecipients: + remram
2016-07-18 22:30:13remramsetmessageid: <>
2016-07-18 22:30:13remramlinkissue27568 messages
2016-07-18 22:30:13remramcreate