Hi Peter! Thanks for all your work on this!
> A vulnerability called "httpoxy" has been announced, which affects a > lot of software (server _and_ client) which speaks the HTTP protocol, > allowing a man in the middle attack to be made on servers. The > spiffy-cgi-handlers and http-client eggs are also affected. > > In short, the CGI specification defines that all HTTP headers should be > converted to environment variables, after uppercasing them and prefixing > them with "HTTP_". Unfortunately, this allows an attacker to pass a > (nonexistent) "Proxy:" header, which will then be converted to > "HTTP_PROXY", which happens to be an environment variable which most > HTTP client programs and libraries support as a way of telling them to > route all requests through a proxy. See https://httpoxy.org for more > information about this attack. > > The http-client egg is vulnerable to such an attack with the default > value of "determine-proxy" (which is "determine-proxy-from-environment"), > if it is used in a CGI program. This situation only occurs if this > process is invoked by a HTTP server which converts the Proxy header as a > HTTP_PROXY environment variable. The spiffy-cgi-handlers egg will do > that in the default setup. > > If your CGI scripts are not using http-client, they may still be > vulnerable depending on which HTTP client library or application > you are using. > > These bugs have been fixed in http-client 0.10 and > spiffy-cgi-handlers 0.5, so please update at your earliest convenience. > > > If you are unable to update, both eggs provide sufficient hooks to fix > this in user code, without patching the eggs: > > In spiffy-cgi-handlers, you can add ("HTTP_PROXY" . #f) to the > cgi-default-environment parameter: > > (cgi-default-environment > (cons '("HTTP_PROXY" . #f) (cgi-default-environment))) > > This has precedence over the dynamically determined environment list > which converts the "Proxy" header to "HTTP_PROXY". > > In http-client, you can disable or override the determine-proxy parameter > with a custom procedure: > > (use data-structures) > (determine-proxy (constantly #f)) > > The updated versions of spiffy-cgi-handlers and http-client should be > available shortly. > > Kind regards, > Peter Bex > > > > _______________________________________________ > Chicken-users mailing list > [email protected] > https://lists.nongnu.org/mailman/listinfo/chicken-users > Regards, @ndy -- [email protected] http://www.ashurst.eu.org/ 0290 DA75 E982 7D99 A51F E46A 387A 7695 7EBA 75FF
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Chicken-users mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/chicken-users
