On Mon, Jul 25, 2016 at 06:04:50PM +0300, Sergei Golovan wrote: > Hi Moritz, > > On Mon, Jul 25, 2016 at 5:03 PM, Moritz Muehlenhoff <j...@debian.org> wrote: > > Source: yaws > > Severity: normal > > Tags: security > > > > http://seclists.org/oss-sec/2016/q3/95 claims that yaws sets > > HTTP_PROXY based a passed Proxy: header. I don't see any > > evidence for that in the source, but maybe I'm missing something? > > Actually, it does set HTTP_PROXY if the Proxy: header is passed to it. > You can see in src/yaws.erl (lines 2537-2542 in 2.0.3) it collects all > unknown headers to the "other" headers collection: > > %% auxiliary headers we don't have builtin support for > {ok, X} -> > ?Debug("OTHER header ~p~n", [X]), > http_collect_headers(CliSock, Req, > H#headers{other=[X|H#headers.other]}, > SSL, Count+1); > > And in src/yaws_cgi.erl (lines 370-373 in 2.0.3) it passes all the "other" > headers to the CGI script environment (with HTTP_ prepended, so Proxy > becomes HTTP_PROXY, the tohttp function does exaclty that): > > {"HTTP_COOKIE", flatten_val(make_cookie_val(H#headers.cookie))} > ]++lists:map(fun({http_header,_,Var,_,Val})->{tohttp(Var),Val} end, > H#headers.other) > )) ++ > > So, YAWS is vulnerable. How do you think we should fix this?
Oh, you're right I missed that code section! > Appears that this bug is already fixed upstream (in VCS, not in any > release yet): > > https://github.com/klacke/yaws/commit/9d8fb070e782c95821c90d0ca7372fc6d7316c78#diff-54053c47eb173a90c26ed19bd9d106c1 > > I could take this patch and prepare the fixes for sid and jessie. The impact is still fairly limited, so I think it's sufficient if we fix this through the next jessie point release. Cheers, Moritz