Hi Peter!

Thanks for all your work on this!

> A vulnerability called "httpoxy" has been announced, which affects a
> lot of software (server _and_ client) which speaks the HTTP protocol,
> allowing a man in the middle attack to be made on servers.  The
> spiffy-cgi-handlers and http-client eggs are also affected.
> 
> In short, the CGI specification defines that all HTTP headers should be
> converted to environment variables, after uppercasing them and prefixing
> them with "HTTP_".  Unfortunately, this allows an attacker to pass a
> (nonexistent) "Proxy:" header, which will then be converted to
> "HTTP_PROXY", which happens to be an environment variable which most
> HTTP client programs and libraries support as a way of telling them to
> route all requests through a proxy.  See https://httpoxy.org for more
> information about this attack.
> 
> The http-client egg is vulnerable to such an attack with the default
> value of "determine-proxy" (which is "determine-proxy-from-environment"),
> if it is used in a CGI program.  This situation only occurs if this
> process is invoked by a HTTP server which converts the Proxy header as a
> HTTP_PROXY environment variable.  The spiffy-cgi-handlers egg will do
> that in the default setup.
> 
> If your CGI scripts are not using http-client, they may still be
> vulnerable depending on which HTTP client library or application
> you are using.
> 
> These bugs have been fixed in http-client 0.10 and
> spiffy-cgi-handlers 0.5, so please update at your earliest convenience.
> 
> 
> If you are unable to update, both eggs provide sufficient hooks to fix
> this in user code, without patching the eggs:
> 
> In spiffy-cgi-handlers, you can add ("HTTP_PROXY" . #f) to the
> cgi-default-environment parameter:
> 
> (cgi-default-environment
>    (cons '("HTTP_PROXY" . #f) (cgi-default-environment)))
> 
> This has precedence over the dynamically determined environment list
> which converts the "Proxy" header to "HTTP_PROXY".
> 
> In http-client, you can disable or override the determine-proxy parameter
> with a custom procedure:
> 
> (use data-structures)
> (determine-proxy (constantly #f))
> 
> The updated versions of spiffy-cgi-handlers and http-client should be
> available shortly.
> 
> Kind regards,
> Peter Bex
> 
> 
> 
> _______________________________________________
> Chicken-users mailing list
> [email protected]
> https://lists.nongnu.org/mailman/listinfo/chicken-users
> 





Regards,
@ndy

-- 
[email protected]
http://www.ashurst.eu.org/
0290 DA75 E982 7D99 A51F  E46A 387A 7695 7EBA 75FF


Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Chicken-users mailing list
[email protected]
https://lists.nongnu.org/mailman/listinfo/chicken-users

Reply via email to