New submission from Rémi Rampin: https://httpoxy.org/
It is possible to set the HTTP_PROXY in CGI scripts by passing the Proxy header. If the script is a Python script and downloads files, urllib will happily use the attacker-supplied proxy to make requests. This should be mitigated like it is in Perl (since 2001), Ruby, and libraries like curl. See also: bug against python-requests https://github.com/kennethreitz/requests/issues/3422 ---------- components: Library (Lib) messages: 270795 nosy: remram priority: normal severity: normal status: open title: "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts type: enhancement _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue27568> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
