Re: [fossil-users] fossil & cgi bleed (Proxy / HTTP_PROXY)

2016-07-18 Thread Martin S. Weber 
On 2016-07-18 18:07:22, Richard Hipp wrote:
> On 7/18/16, Martin S. Weber  wrote:
> >
> > But it uses the http_proxy environment variable, doesn't it,
> > which a front-end web server might (or, will, according to RFC 3875,)
> > set before invoking fossil as a cgi.
> 
> Only shell commands (ex: "fossil sync") use the HTTP_PROXY environment
> variable, and those are not accessible via CGI.

So no auto-sync setting, no TH1 code hooks, ...

That sounds like good enough.

Thanks for the analysis,
-Martin
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] fossil & cgi bleed (Proxy / HTTP_PROXY)

2016-07-18 Thread Richard Hipp 
On 7/18/16, Martin S. Weber  wrote:
>
> But it uses the http_proxy environment variable, doesn't it,
> which a front-end web server might (or, will, according to RFC 3875,)
> set before invoking fossil as a cgi.

Only shell commands (ex: "fossil sync") use the HTTP_PROXY environment
variable, and those are not accessible via CGI.

-- 
D. Richard Hipp
d...@sqlite.org
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] fossil & cgi bleed (Proxy / HTTP_PROXY)

2016-07-18 Thread Martin S. Weber 
On 2016-07-18 17:27:52, Richard Hipp wrote:
> On 7/18/16, Martin S. Weber  wrote:
> > More info e.g. at https://httpoxy.org/
> >
> > suggested fix: "If you’re running PHP or CGI, you should block the Proxy
> > header now."
> >
> > Fossil's suggesting deployment as a CGI
> > Fossil's using http_proxy itself (as client)
> >
> > wondering whether:
> > - fossil can be convinced to be exploitable by a well crafted proxy header
> > - std CGI setup instructions should include deleting the Proxy header
> 
> The CGI logic in Fossil already ignores the "Proxy:" header.  So I
> don't see how this can be exploited.

But it uses the http_proxy environment variable, doesn't it, 
which a front-end web server might (or, will, according to RFC 3875,)
set before invoking fossil as a cgi.

so the Proxy: header should be scrubbed in the front end server, not
fossil itself, so that fossil-as-cgi can trust the setting of HTTP_PROXY.

..is what I take away from it.

Regards,
-Martin
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] fossil & cgi bleed (Proxy / HTTP_PROXY)

2016-07-18 Thread Richard Hipp 
On 7/18/16, Martin S. Weber  wrote:
> More info e.g. at https://httpoxy.org/
>
> suggested fix: "If you’re running PHP or CGI, you should block the Proxy
> header now."
>
> Fossil's suggesting deployment as a CGI
> Fossil's using http_proxy itself (as client)
>
> wondering whether:
> - fossil can be convinced to be exploitable by a well crafted proxy header
> - std CGI setup instructions should include deleting the Proxy header

The CGI logic in Fossil already ignores the "Proxy:" header.  So I
don't see how this can be exploited.
-- 
D. Richard Hipp
d...@sqlite.org
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

[fossil-users] fossil & cgi bleed (Proxy / HTTP_PROXY)

2016-07-18 Thread Martin S. Weber 
More info e.g. at https://httpoxy.org/

suggested fix: "If you’re running PHP or CGI, you should block the Proxy header 
now."

Fossil's suggesting deployment as a CGI
Fossil's using http_proxy itself (as client)

wondering whether:
- fossil can be convinced to be exploitable by a well crafted proxy header
- std CGI setup instructions should include deleting the Proxy header

Regards,
-Martin
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users