[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts
Rémi Rampin added the comment: Here it goes - Clarified that _proxy suffix should be lowercase - Indented ..note: blocks under function/class -- Added file: http://bugs.python.org/file43944/python-3.5-httpoxy.patch ___ Python tracker <http://bugs.python.org/issue27568> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts
Changes by Rémi Rampin : Added file: http://bugs.python.org/file43943/python-2.7-httpoxy.patch ___ Python tracker <http://bugs.python.org/issue27568> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts
Changes by Rémi Rampin : Removed file: http://bugs.python.org/file43801/python-3.5-httpoxy.patch ___ Python tracker <http://bugs.python.org/issue27568> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts
Changes by Rémi Rampin : Removed file: http://bugs.python.org/file43800/python-2.7-httpoxy.patch ___ Python tracker <http://bugs.python.org/issue27568> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts
Rémi Rampin added the comment: I was away for a bit, I will make the requested changes tonight. -- ___ Python tracker <http://bugs.python.org/issue27568> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts
Changes by Rémi Rampin : Removed file: http://bugs.python.org/file43796/python-2.7-httpoxy.patch ___ Python tracker <http://bugs.python.org/issue27568> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts
Changes by Rémi Rampin : Removed file: http://bugs.python.org/file43797/python-3.5-httpoxy.patch ___ Python tracker <http://bugs.python.org/issue27568> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts
Changes by Rémi Rampin : Added file: http://bugs.python.org/file43801/python-3.5-httpoxy.patch ___ Python tracker <http://bugs.python.org/issue27568> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts
Rémi Rampin added the comment: - Added CVE number - Link to full note on getproxies() doc - Improved comment on uppercase (lowercase will be preferred to mIxED_case too) -- Added file: http://bugs.python.org/file43800/python-2.7-httpoxy.patch ___ Python tracker <http://bugs.python.org/issue27568> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts
Changes by Rémi Rampin : Added file: http://bugs.python.org/file43797/python-3.5-httpoxy.patch ___ Python tracker <http://bugs.python.org/issue27568> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts
Changes by Rémi Rampin : Added file: http://bugs.python.org/file43796/python-2.7-httpoxy.patch ___ Python tracker <http://bugs.python.org/issue27568> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts
Changes by Rémi Rampin : Removed file: http://bugs.python.org/file43779/python-2.7-httpoxy-mitigation.patch ___ Python tracker <http://bugs.python.org/issue27568> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts
Changes by Rémi Rampin : Removed file: http://bugs.python.org/file43780/python-3.5-httpoxy-mitigation.patch ___ Python tracker <http://bugs.python.org/issue27568> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts
Rémi Rampin added the comment: I am willing to work on documentation and tests if there is an interest in the patch. On Windows, if REQUEST_METHOD is set, it is probably safe to assume that HTTP_* variables come from the web server: setting this variable is not the way we set a proxy there, so ignoring this dubious variable is probably fine. -- ___ Python tracker <http://bugs.python.org/issue27568> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts
Changes by Rémi Rampin : -- keywords: +patch Added file: http://bugs.python.org/file43779/python-2.7-httpoxy-mitigation.patch ___ Python tracker <http://bugs.python.org/issue27568> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts
Changes by Rémi Rampin : Added file: http://bugs.python.org/file43780/python-3.5-httpoxy-mitigation.patch ___ Python tracker <http://bugs.python.org/issue27568> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts
New submission from Rémi Rampin: https://httpoxy.org/ It is possible to set the HTTP_PROXY in CGI scripts by passing the Proxy header. If the script is a Python script and downloads files, urllib will happily use the attacker-supplied proxy to make requests. This should be mitigated like it is in Perl (since 2001), Ruby, and libraries like curl. See also: bug against python-requests https://github.com/kennethreitz/requests/issues/3422 -- components: Library (Lib) messages: 270795 nosy: remram priority: normal severity: normal status: open title: "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts type: enhancement ___ Python tracker <http://bugs.python.org/issue27568> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue9351] argparse set_defaults on subcommands should override top level set_defaults
Rémi Rampin added the comment: To me this is much more than a compatibility problem. The way it worked before made a lot of sense, and just felt like the "correct" solution to accept a flag in multiple places. Having a --verbose flag is something everybody should consider (Python has a decent builtin logging module), and anybody providing it would definitely want to accept it before and after subcommands (or at least, for every subcommand). The only way right now is to not only create different arguments with add_argument(), for each parser, but you also need to provide different destination names (and then do something shitty like verbosity = args.verb_main+args.verb_subcommand). This bug makes argparse completely unusable for any real-life application that uses subparsers (in addition to breaking existing programs). And it breaks silently too, simply amazing! Of course there is very little point in fixing this now. Since this affects multiple released versions of Python, I have to use a work-around anyway (until I can move from argparse to something that won't decide to break someday for the hell of it). -- ___ Python tracker <http://bugs.python.org/issue9351> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24251] Different behavior for argparse between 2.7.8 and 2.7.9 when adding the same arguments to the root and the sub commands
Changes by Rémi Rampin : -- nosy: +remram ___ Python tracker <http://bugs.python.org/issue24251> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue9351] argparse set_defaults on subcommands should override top level set_defaults
Changes by Rémi Rampin : -- nosy: +remram ___ Python tracker <http://bugs.python.org/issue9351> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue14910] argparse: disable abbreviation
Rémi Rampin added the comment: It looks like the previous comments were addressed in the latest patch. Is this still planned for 3.5? Alpha 1 is next week according to PEP478. -- ___ Python tracker <http://bugs.python.org/issue14910> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue14910] argparse: disable abbreviation
Changes by Rémi Rampin : -- nosy: +remram ___ Python tracker <http://bugs.python.org/issue14910> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue23058] argparse silently ignores arguments
Rémi Rampin added the comment: I might use your workaround in ReproZip (https://github.com/ViDA-NYU/reprozip/issues/89), thanks. I agree that it doesn't look pretty... -- ___ Python tracker <http://bugs.python.org/issue23058> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue23058] argparse silently ignores arguments
Rémi Rampin added the comment: Interestingly, this worked before my upgrade 2.7.8 -> 2.7.9. -- ___ Python tracker <http://bugs.python.org/issue23058> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue23058] argparse silently ignores arguments
New submission from Rémi Rampin:
This works correctly on Python 3.4.
On Python 2.7, argparse seems to completely and silently ignore arguments in
some conditions, for instance this setup will cause --verbose to be ignored on
the main parser:
options = argparse.ArgumentParser(add_help=False)
options.add_argument('-v', '--verbose', action='store_true')
parser = argparse.ArgumentParser(parents=[options])
subparsers = parser.add_subparsers()
parser_cmd = subparsers.add_parser('cmd', parents=[options])
Full runnable example here:
http://paste.pound-python.org/show/XfVVhdJHSPISXLP1lASd/
Might or might not be related to #9351, workarounds welcome.
--
components: Library (Lib)
messages: 232679
nosy: remram
priority: normal
severity: normal
status: open
title: argparse silently ignores arguments
type: behavior
versions: Python 2.7
___
Python tracker
<http://bugs.python.org/issue23058>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22543] -W option cannot use non-standard categories
Rémi Rampin added the comment: It already does auto-import, but it does it before site-packages are set up, meaning that it fails in any practical setup. See _getcategory(), called by _processoptions(): https://hg.python.org/cpython/file/b15c5a66213f/Lib/warnings.py#l148 -- ___ Python tracker <http://bugs.python.org/issue22543> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22543] -W option cannot use non-standard categories
New submission from Rémi Rampin: warnings._processoptions is called very early, before site-packages are enabled. Because of this, using a non-standard 'category' will almost certainly fail with the message: Invalid -W option ignored: invalid module name: '...' The -W option would be a lot more useful if it could actually match non-standard categories (it does, after all, pretend to support modulename.classname). I don't see any easy way of fixing this, other than initializing the warnings module later or matching category names with the given string (and getting rid of the import). -- components: Library (Lib) messages: 228261 nosy: remram priority: normal severity: normal status: open title: -W option cannot use non-standard categories type: behavior versions: Python 2.7, Python 3.1, Python 3.2, Python 3.3, Python 3.4, Python 3.5 ___ Python tracker <http://bugs.python.org/issue22543> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue20705] distutils.extension.Extension with empty 'sources' list
New submission from Rémi Rampin:
While this is obviously a programming error, distutils currently has no check
for the 'sources' list being empty, which might or might not result in a
self-explanatory error message once the CCompiler's link() method is called
(the exact error depends on the subclass's implementation).
It seems that some code had been put in initially to handle this case ('objects
or []' constructs) but this has been broken since (objects[0] used by most
subclasses).
Since objects can only be empty if sources was empty, I think catching this
case in build_extension() (only caller of link_shared_object) makes sense.
Trivial patch attached, should apply on all versions.
--
components: Distutils
files: distutils-catch-empty-sources.diff
keywords: patch
messages: 211743
nosy: remram
priority: normal
severity: normal
status: open
title: distutils.extension.Extension with empty 'sources' list
type: behavior
versions: Python 2.7
Added file: http://bugs.python.org/file34154/distutils-catch-empty-sources.diff
___
Python tracker
<http://bugs.python.org/issue20705>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
