[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

Changes by Jesús Cea Avión : -- nosy: +jcea ___ Python tracker ___ ___ Python-bugs-list mailing

[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

Senthil Kumaran added the comment: Hi Hans-Peter, In 3.3 (95b09ccc8a3e) and 3.4 (3c19023c9fec) the change completely removes any variant of http_proxy if REQUEST_METHOD is set. The only way to have http based proxy in cgi environment by using ProxyHandler method. This is solution introduced

[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

Hans-Peter Jansen added the comment: > (In msg271688, I pondered if I need to backport a behavior change from > issue26804 which will allow lower cased proxies, but then, I decided against > it as it will introduce unnecessary changes to this security fix releases). Hmm, Senthil, while I

[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

Changes by Berker Peksag : -- stage: patch review -> resolved ___ Python tracker ___

[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

Senthil Kumaran added the comment: This is also committed in 2.7 branch in ba915d561667. This is committed in all active versions(2.7, 3.5, 3.6) and also versions which receive security updates (3.3 and 3.4). This issue is resolved. Thank you for the patch, Rémi. (In msg271688, I pondered

[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

Roundup Robot added the comment: New changeset 95b09ccc8a3e by Senthil Kumaran in branch '3.3': Prevent HTTPoxy attack (CVE-2016-1000110) https://hg.python.org/cpython/rev/95b09ccc8a3e New changeset 3c19023c9fec by Senthil Kumaran in branch '3.4': [merge from 3.3] Prevent HTTPoxy attack

[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

Senthil Kumaran added the comment: For 3.3, 3.4 it seems reasonable to backport changes from issue26804 and then apply this patch. I will do this today. -- assignee: -> orsenthil ___ Python tracker

[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

Senthil Kumaran added the comment: The patch looks good to me. I am checking this in. -- ___ Python tracker ___

[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

Rémi Rampin added the comment: Here it goes - Clarified that _proxy suffix should be lowercase - Indented ..note: blocks under function/class -- Added file: http://bugs.python.org/file43944/python-3.5-httpoxy.patch ___ Python tracker

[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

Changes by Rémi Rampin : Added file: http://bugs.python.org/file43943/python-2.7-httpoxy.patch ___ Python tracker ___

[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

Changes by Rémi Rampin : Removed file: http://bugs.python.org/file43801/python-3.5-httpoxy.patch ___ Python tracker ___

[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

Changes by Rémi Rampin : Removed file: http://bugs.python.org/file43800/python-2.7-httpoxy.patch ___ Python tracker ___

[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

Rémi Rampin added the comment: I was away for a bit, I will make the requested changes tonight. -- ___ Python tracker ___

[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

Changes by Ian Cordasco : -- nosy: +icordasc ___ Python tracker ___ ___

[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

Petr Viktorin added the comment: The conversation seems to have stalled. Rémi, are you still working on the patch? Should someone take over? -- nosy: +encukou ___ Python tracker

[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

Martin Panter added the comment: I think I misunderstood the Windows situation. Now I understand Windows has no lower-case variable names, so this patch would stop accepting any HTTP_PROXY variable there (in CGI mode). But that is okay by me. I agree the mixed-case scenario is not worth

[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

Changes by Rémi Rampin : Removed file: http://bugs.python.org/file43796/python-2.7-httpoxy.patch ___ Python tracker ___

[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

Changes by Rémi Rampin : Removed file: http://bugs.python.org/file43797/python-3.5-httpoxy.patch ___ Python tracker ___

[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

Changes by Rémi Rampin : Added file: http://bugs.python.org/file43801/python-3.5-httpoxy.patch ___ Python tracker ___

[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

Rémi Rampin added the comment: - Added CVE number - Link to full note on getproxies() doc - Improved comment on uppercase (lowercase will be preferred to mIxED_case too) -- Added file: http://bugs.python.org/file43800/python-2.7-httpoxy.patch ___

[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

Senthil Kumaran added the comment: Thanks for this patch. The CVE number assigned to python - CVE-2016-1000110. There is redundancy in /Doc/library/urllib.request.rst change where the same paragraph is repeated twice. See if you can have it at a single location as a `Note` and reference it.

[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

Cory Benfield added the comment: Ok, so I've taken a preliminary look at this patch. It looks good to me! I have one question: right now the patch as written will blow away not just HTTP_PROXY, but also any other mixed-case spelling of that name (e.g. HtTp_PrOxY) in a CGI environment. That's

[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

Changes by Rémi Rampin : Added file: http://bugs.python.org/file43797/python-3.5-httpoxy.patch ___ Python tracker ___

[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

Changes by Rémi Rampin : Added file: http://bugs.python.org/file43796/python-2.7-httpoxy.patch ___ Python tracker ___

[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

Changes by Rémi Rampin : Removed file: http://bugs.python.org/file43779/python-2.7-httpoxy-mitigation.patch ___ Python tracker ___

[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

Changes by Rémi Rampin : Removed file: http://bugs.python.org/file43780/python-3.5-httpoxy-mitigation.patch ___ Python tracker ___

[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

Cory Benfield added the comment: I like this patch a great deal, I'll happily review it with docs and tests. -- nosy: +Lukasa ___ Python tracker ___

[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

Rémi Rampin added the comment: I am willing to work on documentation and tests if there is an interest in the patch. On Windows, if REQUEST_METHOD is set, it is probably safe to assume that HTTP_* variables come from the web server: setting this variable is not the way we set a proxy there,

[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

Martin Panter added the comment: I suspect this won’t help on OSes like Windows where environment variable names are case-insensitive (correct me if I am wrong). Regardless, it may be worth making the change. It would be nice to also add test case(s). And I wonder if it would be appropriate

[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

Changes by Berker Peksag : -- nosy: +orsenthil stage: -> patch review type: enhancement -> security versions: +Python 2.7, Python 3.3, Python 3.4, Python 3.5, Python 3.6 ___ Python tracker

[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

Changes by Rémi Rampin : -- keywords: +patch Added file: http://bugs.python.org/file43779/python-2.7-httpoxy-mitigation.patch ___ Python tracker

[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

Changes by Rémi Rampin : Added file: http://bugs.python.org/file43780/python-3.5-httpoxy-mitigation.patch ___ Python tracker ___

[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

New submission from Rémi Rampin: https://httpoxy.org/ It is possible to set the HTTP_PROXY in CGI scripts by passing the Proxy header. If the script is a Python script and downloads files, urllib will happily use the attacker-supplied proxy to make requests. This should be mitigated like it