Re: [fossil-users] fossil & cgi bleed (Proxy / HTTP_PROXY)

2016-07-18 Thread Martin S. Weber
On 2016-07-18 18:07:22, Richard Hipp wrote: > On 7/18/16, Martin S. Weber wrote: > > > > But it uses the http_proxy environment variable, doesn't it, > > which a front-end web server might (or, will, according to RFC 3875,) > > set before invoking fossil as a cgi. > > Only

Re: [fossil-users] fossil & cgi bleed (Proxy / HTTP_PROXY)

2016-07-18 Thread Richard Hipp
On 7/18/16, Martin S. Weber wrote: > > But it uses the http_proxy environment variable, doesn't it, > which a front-end web server might (or, will, according to RFC 3875,) > set before invoking fossil as a cgi. Only shell commands (ex: "fossil sync") use the HTTP_PROXY

Re: [fossil-users] fossil & cgi bleed (Proxy / HTTP_PROXY)

2016-07-18 Thread Martin S. Weber
On 2016-07-18 17:27:52, Richard Hipp wrote: > On 7/18/16, Martin S. Weber wrote: > > More info e.g. at https://httpoxy.org/ > > > > suggested fix: "If you’re running PHP or CGI, you should block the Proxy > > header now." > > > > Fossil's suggesting deployment as a CGI > >

Re: [fossil-users] fossil & cgi bleed (Proxy / HTTP_PROXY)

2016-07-18 Thread Richard Hipp
On 7/18/16, Martin S. Weber wrote: > More info e.g. at https://httpoxy.org/ > > suggested fix: "If you’re running PHP or CGI, you should block the Proxy > header now." > > Fossil's suggesting deployment as a CGI > Fossil's using http_proxy itself (as client) > > wondering

[fossil-users] fossil & cgi bleed (Proxy / HTTP_PROXY)

2016-07-18 Thread Martin S. Weber
More info e.g. at https://httpoxy.org/ suggested fix: "If you’re running PHP or CGI, you should block the Proxy header now." Fossil's suggesting deployment as a CGI Fossil's using http_proxy itself (as client) wondering whether: - fossil can be convinced to be exploitable by a well crafted