[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

2016-07-29 Thread Rémi Rampin

Rémi Rampin added the comment:

Here it goes
- Clarified that _proxy suffix should be lowercase
- Indented ..note: blocks under function/class

--
Added file: http://bugs.python.org/file43944/python-3.5-httpoxy.patch

___
Python tracker 
<http://bugs.python.org/issue27568>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

2016-07-29 Thread Rémi Rampin

Changes by Rémi Rampin :


Added file: http://bugs.python.org/file43943/python-2.7-httpoxy.patch

___
Python tracker 
<http://bugs.python.org/issue27568>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

2016-07-29 Thread Rémi Rampin

Changes by Rémi Rampin :


Removed file: http://bugs.python.org/file43801/python-3.5-httpoxy.patch

___
Python tracker 
<http://bugs.python.org/issue27568>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

2016-07-29 Thread Rémi Rampin

Changes by Rémi Rampin :


Removed file: http://bugs.python.org/file43800/python-2.7-httpoxy.patch

___
Python tracker 
<http://bugs.python.org/issue27568>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

2016-07-29 Thread Rémi Rampin

Rémi Rampin added the comment:

I was away for a bit, I will make the requested changes tonight.

--

___
Python tracker 
<http://bugs.python.org/issue27568>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

2016-07-19 Thread Rémi Rampin

Changes by Rémi Rampin :


Removed file: http://bugs.python.org/file43796/python-2.7-httpoxy.patch

___
Python tracker 
<http://bugs.python.org/issue27568>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

2016-07-19 Thread Rémi Rampin

Changes by Rémi Rampin :


Removed file: http://bugs.python.org/file43797/python-3.5-httpoxy.patch

___
Python tracker 
<http://bugs.python.org/issue27568>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

2016-07-19 Thread Rémi Rampin

Changes by Rémi Rampin :


Added file: http://bugs.python.org/file43801/python-3.5-httpoxy.patch

___
Python tracker 
<http://bugs.python.org/issue27568>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

2016-07-19 Thread Rémi Rampin

Rémi Rampin added the comment:

- Added CVE number
- Link to full note on getproxies() doc
- Improved comment on uppercase (lowercase will be preferred to mIxED_case too)

--
Added file: http://bugs.python.org/file43800/python-2.7-httpoxy.patch

___
Python tracker 
<http://bugs.python.org/issue27568>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

2016-07-19 Thread Rémi Rampin

Changes by Rémi Rampin :


Added file: http://bugs.python.org/file43797/python-3.5-httpoxy.patch

___
Python tracker 
<http://bugs.python.org/issue27568>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

2016-07-19 Thread Rémi Rampin

Changes by Rémi Rampin :


Added file: http://bugs.python.org/file43796/python-2.7-httpoxy.patch

___
Python tracker 
<http://bugs.python.org/issue27568>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

2016-07-19 Thread Rémi Rampin

Changes by Rémi Rampin :


Removed file: 
http://bugs.python.org/file43779/python-2.7-httpoxy-mitigation.patch

___
Python tracker 
<http://bugs.python.org/issue27568>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

2016-07-19 Thread Rémi Rampin

Changes by Rémi Rampin :


Removed file: 
http://bugs.python.org/file43780/python-3.5-httpoxy-mitigation.patch

___
Python tracker 
<http://bugs.python.org/issue27568>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

2016-07-18 Thread Rémi Rampin

Rémi Rampin added the comment:

I am willing to work on documentation and tests if there is an interest in the 
patch.

On Windows, if REQUEST_METHOD is set, it is probably safe to assume that HTTP_* 
variables come from the web server: setting this variable is not the way we set 
a proxy there, so ignoring this dubious variable is probably fine.

--

___
Python tracker 
<http://bugs.python.org/issue27568>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

2016-07-18 Thread Rémi Rampin

Changes by Rémi Rampin :


--
keywords: +patch
Added file: http://bugs.python.org/file43779/python-2.7-httpoxy-mitigation.patch

___
Python tracker 
<http://bugs.python.org/issue27568>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

2016-07-18 Thread Rémi Rampin

Changes by Rémi Rampin :


Added file: http://bugs.python.org/file43780/python-3.5-httpoxy-mitigation.patch

___
Python tracker 
<http://bugs.python.org/issue27568>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue27568] "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts

2016-07-18 Thread Rémi Rampin

New submission from Rémi Rampin:

https://httpoxy.org/

It is possible to set the HTTP_PROXY in CGI scripts by passing the Proxy 
header. If the script is a Python script and downloads files, urllib will 
happily use the attacker-supplied proxy to make requests.

This should be mitigated like it is in Perl (since 2001), Ruby, and libraries 
like curl.

See also: bug against python-requests 
https://github.com/kennethreitz/requests/issues/3422

--
components: Library (Lib)
messages: 270795
nosy: remram
priority: normal
severity: normal
status: open
title: "HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts
type: enhancement

___
Python tracker 
<http://bugs.python.org/issue27568>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue9351] argparse set_defaults on subcommands should override top level set_defaults

2015-06-03 Thread Rémi Rampin

Rémi Rampin added the comment:

To me this is much more than a compatibility problem. The way it worked before 
made a lot of sense, and just felt like the "correct" solution to accept a flag 
in multiple places.

Having a --verbose flag is something everybody should consider (Python has a 
decent builtin logging module), and anybody providing it would definitely want 
to accept it before and after subcommands (or at least, for every subcommand).

The only way right now is to not only create different arguments with 
add_argument(), for each parser, but you also need to provide different 
destination names (and then do something shitty like verbosity = 
args.verb_main+args.verb_subcommand). This bug makes argparse completely 
unusable for any real-life application that uses subparsers (in addition to 
breaking existing programs). And it breaks silently too, simply amazing!

Of course there is very little point in fixing this now. Since this affects 
multiple released versions of Python, I have to use a work-around anyway (until 
I can move from argparse to something that won't decide to break someday for 
the hell of it).

--

___
Python tracker 
<http://bugs.python.org/issue9351>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue24251] Different behavior for argparse between 2.7.8 and 2.7.9 when adding the same arguments to the root and the sub commands

2015-06-03 Thread Rémi Rampin

Changes by Rémi Rampin :


--
nosy: +remram

___
Python tracker 
<http://bugs.python.org/issue24251>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue9351] argparse set_defaults on subcommands should override top level set_defaults

2015-03-27 Thread Rémi Rampin

Changes by Rémi Rampin :


--
nosy: +remram

___
Python tracker 
<http://bugs.python.org/issue9351>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue14910] argparse: disable abbreviation

2015-02-03 Thread Rémi Rampin

Rémi Rampin added the comment:

It looks like the previous comments were addressed in the latest patch. Is this 
still planned for 3.5? Alpha 1 is next week according to PEP478.

--

___
Python tracker 
<http://bugs.python.org/issue14910>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue14910] argparse: disable abbreviation

2015-01-26 Thread Rémi Rampin

Changes by Rémi Rampin :


--
nosy: +remram

___
Python tracker 
<http://bugs.python.org/issue14910>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue23058] argparse silently ignores arguments

2015-01-02 Thread Rémi Rampin

Rémi Rampin added the comment:

I might use your workaround in ReproZip 
(https://github.com/ViDA-NYU/reprozip/issues/89), thanks. I agree that it 
doesn't look pretty...

--

___
Python tracker 
<http://bugs.python.org/issue23058>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue23058] argparse silently ignores arguments

2014-12-15 Thread Rémi Rampin

Rémi Rampin added the comment:

Interestingly, this worked before my upgrade 2.7.8 -> 2.7.9.

--

___
Python tracker 
<http://bugs.python.org/issue23058>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue23058] argparse silently ignores arguments

2014-12-15 Thread Rémi Rampin

New submission from Rémi Rampin:

This works correctly on Python 3.4.

On Python 2.7, argparse seems to completely and silently ignore arguments in 
some conditions, for instance this setup will cause --verbose to be ignored on 
the main parser:

options = argparse.ArgumentParser(add_help=False)
options.add_argument('-v', '--verbose', action='store_true')
parser = argparse.ArgumentParser(parents=[options])
subparsers = parser.add_subparsers()
parser_cmd = subparsers.add_parser('cmd', parents=[options])

Full runnable example here: 
http://paste.pound-python.org/show/XfVVhdJHSPISXLP1lASd/

Might or might not be related to #9351, workarounds welcome.

--
components: Library (Lib)
messages: 232679
nosy: remram
priority: normal
severity: normal
status: open
title: argparse silently ignores arguments
type: behavior
versions: Python 2.7

___
Python tracker 
<http://bugs.python.org/issue23058>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue22543] -W option cannot use non-standard categories

2014-10-02 Thread Rémi Rampin

Rémi Rampin added the comment:

It already does auto-import, but it does it before site-packages are set up, 
meaning that it fails in any practical setup.

See _getcategory(), called by _processoptions(): 
https://hg.python.org/cpython/file/b15c5a66213f/Lib/warnings.py#l148

--

___
Python tracker 
<http://bugs.python.org/issue22543>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue22543] -W option cannot use non-standard categories

2014-10-02 Thread Rémi Rampin

New submission from Rémi Rampin:

warnings._processoptions is called very early, before site-packages are 
enabled. Because of this, using a non-standard 'category' will almost certainly 
fail with the message:

Invalid -W option ignored: invalid module name: '...'

The -W option would be a lot more useful if it could actually match 
non-standard categories (it does, after all, pretend to support 
modulename.classname).

I don't see any easy way of fixing this, other than initializing the warnings 
module later or matching category names with the given string (and getting rid 
of the import).

--
components: Library (Lib)
messages: 228261
nosy: remram
priority: normal
severity: normal
status: open
title: -W option cannot use non-standard categories
type: behavior
versions: Python 2.7, Python 3.1, Python 3.2, Python 3.3, Python 3.4, Python 3.5

___
Python tracker 
<http://bugs.python.org/issue22543>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue20705] distutils.extension.Extension with empty 'sources' list

2014-02-20 Thread Rémi Rampin

New submission from Rémi Rampin:

While this is obviously a programming error, distutils currently has no check 
for the 'sources' list being empty, which might or might not result in a 
self-explanatory error message once the CCompiler's link() method is called 
(the exact error depends on the subclass's implementation).

It seems that some code had been put in initially to handle this case ('objects 
or []' constructs) but this has been broken since (objects[0] used by most 
subclasses).

Since objects can only be empty if sources was empty, I think catching this 
case in build_extension() (only caller of link_shared_object) makes sense.

Trivial patch attached, should apply on all versions.

--
components: Distutils
files: distutils-catch-empty-sources.diff
keywords: patch
messages: 211743
nosy: remram
priority: normal
severity: normal
status: open
title: distutils.extension.Extension with empty 'sources' list
type: behavior
versions: Python 2.7
Added file: http://bugs.python.org/file34154/distutils-catch-empty-sources.diff

___
Python tracker 
<http://bugs.python.org/issue20705>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com