Your message dated Wed, 09 Dec 2020 05:51:56 +0000
with message-id <[email protected]>
and subject line Bug#834625: fixed in lighttpd 1.4.56-1
has caused the Debian Bug report #834625,
regarding lighttpd: Add autopkgtests test to check mitigation against HTTPoxy
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
834625: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=834625
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: lighttpd
Version: 1.4.39-1
Severity: wishlist
Tags: patch
Dear lighttpd maintainers,
Please, find attached the patches to include a DEP-8 test to check if
lighttpd correctly avoids passing http proxy variables to CGIs.
Hope this helps,
Santiago
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.6.0-1-grsec-amd64 (SMP w/4 CPU cores)
Locale: LANG=es_CO.UTF-8, LC_CTYPE=es_CO.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
>From 0375a66681646d73b07b0876c3936ae7851bc4d8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Santiago=20Ruano=20Rinc=C3=B3n?= <[email protected]>
Date: Wed, 10 Aug 2016 17:54:07 +0200
Subject: [PATCH 1/2] Add debian/tests/do-not-emit-http-proxy-to-cgi
---
debian/tests/control | 3 ++
debian/tests/do-not-emit-http-proxy-to-cgi | 55 ++++++++++++++++++++++++++++++
debian/tests/test.py | 32 +++++++++++++++++
3 files changed, 90 insertions(+)
create mode 100644 debian/tests/control
create mode 100644 debian/tests/do-not-emit-http-proxy-to-cgi
create mode 100755 debian/tests/test.py
diff --git a/debian/tests/control b/debian/tests/control
new file mode 100644
index 0000000..6b69209
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,3 @@
+Tests: do-not-emit-http-proxy-to-cgi
+Depends: @, python2.7, python-requests, curl, netcat
+Restrictions: needs-root, allow-stderr
diff --git a/debian/tests/do-not-emit-http-proxy-to-cgi b/debian/tests/do-not-emit-http-proxy-to-cgi
new file mode 100644
index 0000000..c33eabb
--- /dev/null
+++ b/debian/tests/do-not-emit-http-proxy-to-cgi
@@ -0,0 +1,55 @@
+#!/bin/sh
+
+set -ex
+
+# Based on PoC available in httpoxy Github
+
+DESTHOST="localhost"
+DESTPORT=16666
+
+service lighttpd restart
+
+DOCUMENTROOT=$(grep 'server.document-root' /etc/lighttpd/lighttpd.conf | awk -F '= ' '{print $2}' | sed -e 's/"//g')
+CGIFILENAME=test.py
+INPUTPROXY=/tmp/input-proxy
+OUTPUTCURL=/tmp/output-curl
+
+cat << EOF >> /etc/lighttpd/conf-available/10-cgi.conf
+cgi.assign = (
+ ".py" => "/usr/bin/python",
+)
+EOF
+
+lighty-enable-mod proxy
+lighty-enable-mod cgi
+
+service lighttpd force-reload
+
+# if service returns other than 0, the test should stop and exit with error since set -x
+service lighttpd status
+
+if [ ! -d $DOCUMENTROOT ] ; then
+ echo "$DOCUMENTROOT not found"
+ exit 1
+fi
+
+cp debian/tests/$CGIFILENAME $DOCUMENTROOT/
+chmod +x $DOCUMENTROOT/$CGIFILENAME
+
+printf "<html><body><h1>Proxied</h1></body></html>" > $INPUTPROXY
+nc -n -l -p $DESTPORT < "$INPUTPROXY" &
+
+sleep 3
+
+curl -H "Proxy: $DESTHOST:$DESTPORT" http://$DESTHOST/$CGIFILENAME > $OUTPUTCURL
+
+head -n4 $OUTPUTCURL
+
+OUTPUT=$(head -n4 $OUTPUTCURL | grep HTTP_PROXY | grep $DESTPORT | true)
+
+if [ -n "$OUTPUT" ] ; then
+ echo "Error: lighttpd opened a connection"
+ exit 1
+fi
+
+exit 0
diff --git a/debian/tests/test.py b/debian/tests/test.py
new file mode 100755
index 0000000..ebb826c
--- /dev/null
+++ b/debian/tests/test.py
@@ -0,0 +1,32 @@
+#!/usr/bin/python
+
+# Based on PoC available in httpoxy Github
+
+import requests
+import os
+import wsgiref.handlers
+
+url="http://localhost/";
+
+def application(environ, start_response):
+ req = requests.get(url)
+
+ output = """
+os.environ[HTTP_PROXY]: %(proxy)s
+os.getenv('HTTP_PROXY'): %(getenv-proxy)s
+wsgi Proxy header: %(wsgi-env-proxy)s
+status code: %(status)d
+text: %(text)s""" % {
+ 'proxy': os.environ['HTTP_PROXY'] if 'HTTP_PROXY' in os.environ else 'none',
+ 'getenv-proxy': os.getenv('HTTP_PROXY', 'none'),
+ 'wsgi-env-proxy': environ['HTTP_PROXY'] if 'HTTP_PROXY' in environ else 'none',
+ 'status': req.status_code,
+ 'text': req.text.encode('latin_1')
+ }
+
+ start_response('200 OK', [('Content-Type', 'text/plain'),
+ ('Content-Length', str(len(output)))])
+ return [output]
+
+if __name__ == '__main__':
+ wsgiref.handlers.CGIHandler().run(application)
--
2.9.3
>From 965e21995fc4a2a8fe1308056f78f8a8ba8757b0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Santiago=20Ruano=20Rinc=C3=B3n?= <[email protected]>
Date: Fri, 12 Aug 2016 15:24:56 +0200
Subject: [PATCH 2/2] debian/control: add Testsuite: autopkgtest stanza
---
debian/control | 1 +
1 file changed, 1 insertion(+)
diff --git a/debian/control b/debian/control
index cd48277..7077aa8 100644
--- a/debian/control
+++ b/debian/control
@@ -14,6 +14,7 @@ Build-Depends: debhelper (>= 8), mime-support, libssl-dev,
Vcs-Git: git://git.debian.org/git/pkg-lighttpd/lighttpd.git
Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-lighttpd/lighttpd.git
Standards-Version: 3.9.4
+Testsuite: autopkgtest
Package: lighttpd
Architecture: any
--
2.9.3
--- End Message ---
--- Begin Message ---
Source: lighttpd
Source-Version: 1.4.56-1
Done: Helmut Grohne <[email protected]>
We believe that the bug you reported is fixed in the latest version of
lighttpd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Helmut Grohne <[email protected]> (supplier of updated lighttpd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 09 Dec 2020 06:22:03 +0100
Source: lighttpd
Architecture: source
Version: 1.4.56-1
Distribution: unstable
Urgency: medium
Maintainer: Debian lighttpd maintainers <[email protected]>
Changed-By: Helmut Grohne <[email protected]>
Closes: 834625
Changes:
lighttpd (1.4.56-1) unstable; urgency=medium
.
[ Justin Aplin ]
* build: Set Build-Depends of libwolfssl-dev to >=4.2.0 due to missing TLS
version macros in previous versions
.
[ Glenn Strauss ]
* tests/serve-cgi-file,do-not-emit-http-proxy-to-cgi.
Thanks to Santiago Ruano Rincón <[email protected]> (Closes: #834625)
* remove lighttpd dependency on FAM or gamin
* remove --with-fam from build rules
* patch for lighttpd -1 with pipes
* patches for mod_wolfssl compatibility
.
[ Helmut Grohne ]
* New upstream version 1.4.56
* Update debhelper compatibility level to 12.
+ Declare compatibility level via Build-Depends.
+ Add ${misc:Pre-Depends} to lighttpd for dh_installinit.
+ Accommodate moving documentation to /usr/share/doc/lighttpd.
* consistently --link-doc all module packages
.
[ Glenn Strauss ]
* autopkgtests: upstream lighttpd integration tests
.
[ Helmut Grohne ]
* d/watch: Deal with %-escaped tilde
* Stop supporting direct upgrades from squeeze
Checksums-Sha1:
64f3fcc609971ffec538f1531c87e35eccc77cca 4400 lighttpd_1.4.56-1.dsc
a7fab18c02dd1216c623cdb2638f03fbf1603d18 952200 lighttpd_1.4.56.orig.tar.xz
ae3d52be109e172b6618b5040df9c7830b4e6ae7 833 lighttpd_1.4.56.orig.tar.xz.asc
116958d1d876d67cb54a32bbe9dd7d48b66bb404 47148 lighttpd_1.4.56-1.debian.tar.xz
423fe952f023f8f5dd15dec354a60ad6435eba63 20584
lighttpd_1.4.56-1_amd64.buildinfo
Checksums-Sha256:
0b896559709094edc408eb6842fe9b6dd1402835b13a053bda1832f1b61466e9 4400
lighttpd_1.4.56-1.dsc
e4ce84cd79e8ae8ba193c7a7cc79c4afba9a076b443ef9f8d4bcd13a3354df77 952200
lighttpd_1.4.56.orig.tar.xz
0ba3adf369cedd82607a4bdbb9270a93b37c2e1dc1380c7f517dd333e0ca3d4a 833
lighttpd_1.4.56.orig.tar.xz.asc
3bf191a0511d9493b53d46d5e7de58e8ad158caaeb86445430cdcc34d5b2bbe2 47148
lighttpd_1.4.56-1.debian.tar.xz
fc9b59c2ba7a9c12eefc88eca727ade9902d5c6cbc53df845b144d0a2a1a41c6 20584
lighttpd_1.4.56-1_amd64.buildinfo
Files:
3cd4088098e968f55fbc7ac7b1b28d25 4400 httpd optional lighttpd_1.4.56-1.dsc
9d94f68c8106bfcdfe7aafa0a13f45a8 952200 httpd optional
lighttpd_1.4.56.orig.tar.xz
d445578ee2b007a32b0078032c661906 833 httpd optional
lighttpd_1.4.56.orig.tar.xz.asc
ab0173fe4ab806239ac681f3db6ae021 47148 httpd optional
lighttpd_1.4.56-1.debian.tar.xz
a0922f2e8f67d4d755a621a94ca0a7fc 20584 httpd optional
lighttpd_1.4.56-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEETMLS2QqNFlTb+HOqLRqqzyREREIFAl/QYGIACgkQLRqqzyRE
RELaDRAAkeALhiyDVYq1Kajgr8/ONhlIYAAcoMFE8cpbXnjDBKd0XUwYYo43N+lJ
wT89MQR6XlfLPjFzzE+sWTPL9rtGRFuLFHomn3OsETarFhrrW3wz7oIhdgC3QTot
l+e2bnMvXZ/jJ4ren/b2G4JuHQJ0E9H7gcrwraXPUOGff1IeIiDSAR7DzTJd4/LE
bS7B/u/6boBbJFb70GdwMd+CxSSfUFW+Expr/ZVE1DQjYdcnVHxcStA3LmEM0WL3
zTltxwqLSEIVdg72m8U8kvKu6zkPlY9ftJGQjuoxMHYeomBVRxH+EfK05XlNGs8p
DMC4FBqQaXS5T6BfFOnSI2Y/lYmgvBg/rhHLQNDwFdRmCFfrubPkzhLnyD6XLd+s
e8YocHDELIcB6dpaH/Bvh9qy2dYrmeiUra5wHqaMLqSJZRuFe+/56DEQEtIDBb+L
EI19WUZ9KWTT8zdpYj3G4TpOxwJk3KABJ/7RM5t4wUAIQNmj8vmgFs4kvCDiEu9W
gUaLBm2BHObOyuPwMJ+IowuAAhAeOUVR+UWtVPcgEZ4+gfLQXLt46U3ZCsrM0j+Y
BVm1OtSJs6UZysOMBuFvBMTVCsQvQGpSehsvDIeeUcFeOkpKLaPqvR7I++XbA3Or
jWoWZ2jLIe8zbCcqRWOT4fEio2ZfwRTB9PCGIJdtOhWhSsWv2gI=
=5EDn
-----END PGP SIGNATURE-----
--- End Message ---
