On 2016-07-18 17:27:52, Richard Hipp wrote: > On 7/18/16, Martin S. Weber <ephae...@gmx.net> wrote: > > More info e.g. at https://httpoxy.org/ > > > > suggested fix: "If you’re running PHP or CGI, you should block the Proxy > > header now." > > > > Fossil's suggesting deployment as a CGI > > Fossil's using http_proxy itself (as client) > > > > wondering whether: > > - fossil can be convinced to be exploitable by a well crafted proxy header > > - std CGI setup instructions should include deleting the Proxy header > > The CGI logic in Fossil already ignores the "Proxy:" header. So I > don't see how this can be exploited.
But it uses the http_proxy environment variable, doesn't it, which a front-end web server might (or, will, according to RFC 3875,) set before invoking fossil as a cgi. so the Proxy: header should be scrubbed in the front end server, not fossil itself, so that fossil-as-cgi can trust the setting of HTTP_PROXY. ..is what I take away from it. Regards, -Martin _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
