1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
|
From 5be8d3e97b1d2e526548cb346fd5f8980d31616a Mon Sep 17 00:00:00 2001
From: Senthil Kumaran <senthil@uthcode.com>
Date: Sat, 30 Jul 2016 05:49:53 -0700
Subject: [PATCH] Prevent HTTPoxy attack (CVE-2016-1000110)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which
indicates that the script is in CGI mode.
Issue reported and patch contributed by Rémi Rampin.
Upstream-Status: Backport
CVE: CVE-2016-1000110
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
Doc/howto/urllib2.rst | 5 +++++
Doc/library/urllib.rst | 10 ++++++++++
Doc/library/urllib2.rst | 5 +++++
Lib/test/test_urllib.py | 12 ++++++++++++
Lib/urllib.py | 9 +++++++++
Misc/ACKS | 1 +
Misc/NEWS | 4 ++++
7 files changed, 46 insertions(+)
Index: Python-2.7.11/Doc/howto/urllib2.rst
===================================================================
--- Python-2.7.11.orig/Doc/howto/urllib2.rst
+++ Python-2.7.11/Doc/howto/urllib2.rst
@@ -523,6 +523,11 @@ setting up a `Basic Authentication`_ han
through a proxy. However, this can be enabled by extending urllib2 as
shown in the recipe [#]_.
+.. note::
+
+ ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set; see
+ the documentation on :func:`~urllib.getproxies`.
+
Sockets and Layers
==================
Index: Python-2.7.11/Doc/library/urllib.rst
===================================================================
--- Python-2.7.11.orig/Doc/library/urllib.rst
+++ Python-2.7.11/Doc/library/urllib.rst
@@ -293,6 +293,16 @@ Utility functions
find it, looks for proxy information from Mac OSX System Configuration for
Mac OS X and Windows Systems Registry for Windows.
+ .. note::
+
+ If the environment variable ``REQUEST_METHOD`` is set, which usually
+ indicates your script is running in a CGI environment, the environment
+ variable ``HTTP_PROXY`` (uppercase ``_PROXY``) will be ignored. This is
+ because that variable can be injected by a client using the "Proxy:"
+ HTTP header. If you need to use an HTTP proxy in a CGI environment,
+ either use ``ProxyHandler`` explicitly, or make sure the variable name
+ is in lowercase (or at least the ``_proxy`` suffix).
+
.. note::
urllib also exposes certain utility functions like splittype, splithost and
others parsing url into various components. But it is recommended to use
Index: Python-2.7.11/Doc/library/urllib2.rst
===================================================================
--- Python-2.7.11.orig/Doc/library/urllib2.rst
+++ Python-2.7.11/Doc/library/urllib2.rst
@@ -229,6 +229,11 @@ The following classes are provided:
To disable autodetected proxy pass an empty dictionary.
+ .. note::
+
+ ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set;
+ see the documentation on :func:`~urllib.getproxies`.
+
.. class:: HTTPPasswordMgr()
Index: Python-2.7.11/Misc/ACKS
===================================================================
--- Python-2.7.11.orig/Misc/ACKS
+++ Python-2.7.11/Misc/ACKS
@@ -1110,6 +1110,7 @@ Jérôme Radix
Burton Radons
Jeff Ramnani
Brodie Rao
+Rémi Rampin
Senko Rasic
Antti Rasinen
Nikolaus Rath
Index: Python-2.7.11/Lib/test/test_urllib.py
===================================================================
--- Python-2.7.11.orig/Lib/test/test_urllib.py
+++ Python-2.7.11/Lib/test/test_urllib.py
@@ -162,6 +162,18 @@ class ProxyTests(unittest.TestCase):
self.assertTrue(urllib.proxy_bypass_environment('anotherdomain.com'))
+ def test_proxy_cgi_ignore(self):
+ try:
+ self.env.set('HTTP_PROXY', 'http://somewhere:3128')
+ proxies = urllib.getproxies_environment()
+ self.assertEqual('http://somewhere:3128', proxies['http'])
+ self.env.set('REQUEST_METHOD', 'GET')
+ proxies = urllib.getproxies_environment()
+ self.assertNotIn('http', proxies)
+ finally:
+ self.env.unset('REQUEST_METHOD')
+ self.env.unset('HTTP_PROXY')
+
class urlopen_HttpTests(unittest.TestCase, FakeHTTPMixin):
"""Test urlopen() opening a fake http connection."""
Index: Python-2.7.11/Lib/urllib.py
===================================================================
--- Python-2.7.11.orig/Lib/urllib.py
+++ Python-2.7.11/Lib/urllib.py
@@ -1382,11 +1382,21 @@ def getproxies_environment():
[Fancy]URLopener constructor.
"""
+ # Get all variables
proxies = {}
for name, value in os.environ.items():
name = name.lower()
if value and name[-6:] == '_proxy':
proxies[name[:-6]] = value
+
+ # CVE-2016-1000110 - If we are running as CGI script, forget HTTP_PROXY
+ # (non-all-lowercase) as it may be set from the web server by a "Proxy:"
+ # header from the client
+ # If "proxy" is lowercase, it will still be used thanks to the next block
+ if 'REQUEST_METHOD' in os.environ:
+ proxies.pop('http', None)
+
+ # Get lowercase variables
return proxies
def proxy_bypass_environment(host):
Index: Python-2.7.11/Misc/NEWS
===================================================================
--- Python-2.7.11.orig/Misc/NEWS
+++ Python-2.7.11/Misc/NEWS
@@ -10,6 +10,10 @@ What's New in Python 2.7.11?
Library
-------
+- Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the
+ HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates
+ that the script is in CGI mode.
+
- Issue #25624: ZipFile now always writes a ZIP_STORED header for directory
entries. Patch by Dingyuan Wang.
|
