Message270795
https://httpoxy.org/
It is possible to set the HTTP_PROXY in CGI scripts by passing the Proxy header. If the script is a Python script and downloads files, urllib will happily use the attacker-supplied proxy to make requests.
This should be mitigated like it is in Perl (since 2001), Ruby, and libraries like curl.
See also: bug against python-requests https://github.com/kennethreitz/requests/issues/3422 |
|
Date |
User |
Action |
Args |
2016-07-18 22:30:13 | remram | set | recipients:
+ remram |
2016-07-18 22:30:13 | remram | set | messageid: <1468881013.81.0.152859673137.issue27568@psf.upfronthosting.co.za> |
2016-07-18 22:30:13 | remram | link | issue27568 messages |
2016-07-18 22:30:13 | remram | create | |
|