Re: [fossil-users] fossil & cgi bleed (Proxy / HTTP_PROXY)
On 2016-07-18 18:07:22, Richard Hipp wrote: > On 7/18/16, Martin S. Weberwrote: > > > > But it uses the http_proxy environment variable, doesn't it, > > which a front-end web server might (or, will, according to RFC 3875,) > > set before invoking fossil as a cgi. > > Only shell commands (ex: "fossil sync") use the HTTP_PROXY environment > variable, and those are not accessible via CGI. So no auto-sync setting, no TH1 code hooks, ... That sounds like good enough. Thanks for the analysis, -Martin ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] fossil & cgi bleed (Proxy / HTTP_PROXY)
On 7/18/16, Martin S. Weberwrote: > > But it uses the http_proxy environment variable, doesn't it, > which a front-end web server might (or, will, according to RFC 3875,) > set before invoking fossil as a cgi. Only shell commands (ex: "fossil sync") use the HTTP_PROXY environment variable, and those are not accessible via CGI. -- D. Richard Hipp d...@sqlite.org ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] fossil & cgi bleed (Proxy / HTTP_PROXY)
On 2016-07-18 17:27:52, Richard Hipp wrote: > On 7/18/16, Martin S. Weberwrote: > > More info e.g. at https://httpoxy.org/ > > > > suggested fix: "If you’re running PHP or CGI, you should block the Proxy > > header now." > > > > Fossil's suggesting deployment as a CGI > > Fossil's using http_proxy itself (as client) > > > > wondering whether: > > - fossil can be convinced to be exploitable by a well crafted proxy header > > - std CGI setup instructions should include deleting the Proxy header > > The CGI logic in Fossil already ignores the "Proxy:" header. So I > don't see how this can be exploited. But it uses the http_proxy environment variable, doesn't it, which a front-end web server might (or, will, according to RFC 3875,) set before invoking fossil as a cgi. so the Proxy: header should be scrubbed in the front end server, not fossil itself, so that fossil-as-cgi can trust the setting of HTTP_PROXY. ..is what I take away from it. Regards, -Martin ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] fossil & cgi bleed (Proxy / HTTP_PROXY)
On 7/18/16, Martin S. Weberwrote: > More info e.g. at https://httpoxy.org/ > > suggested fix: "If you’re running PHP or CGI, you should block the Proxy > header now." > > Fossil's suggesting deployment as a CGI > Fossil's using http_proxy itself (as client) > > wondering whether: > - fossil can be convinced to be exploitable by a well crafted proxy header > - std CGI setup instructions should include deleting the Proxy header The CGI logic in Fossil already ignores the "Proxy:" header. So I don't see how this can be exploited. -- D. Richard Hipp d...@sqlite.org ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
[fossil-users] fossil & cgi bleed (Proxy / HTTP_PROXY)
More info e.g. at https://httpoxy.org/ suggested fix: "If you’re running PHP or CGI, you should block the Proxy header now." Fossil's suggesting deployment as a CGI Fossil's using http_proxy itself (as client) wondering whether: - fossil can be convinced to be exploitable by a well crafted proxy header - std CGI setup instructions should include deleting the Proxy header Regards, -Martin ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users