Bug #12610
closedwebrick: protect from httpoxy
Description
See problem documented at https://httpoxy.org/
Sorry my Internet connection is crap and I keep dropping.
Hope to commit within 24 hours.
Files
Updated by nagachika (Tomoyuki Chikanaga) over 8 years ago
As noted in the article (https://httproxy.org/), Net::HTTP and URI::Generic.find_proxy has mitigation about this vulnerability.
The remaining issue was that when external programs was spawned in cgi handlers could be effected by HTTP_PROXY env. Is it right?
I don't have ssh key right now, I can commit it and backport at tonight.
How about the stable package releases?
Unfortunately I'm going to be offline this weekend. I can handle the release work on the next monday's night at the fastest.
Updated by darix (Marcus Rückert) over 8 years ago
On 2016-07-22 02:03:14 +0000, nagachika00@gmail.com wrote:
0001-webrick-filter-out-HTTP_PROXY-for-CGIHandler.patch (2.46 KB)
the /dumpenv chunk from the patch looks like left over debug code
--
openSUSE - SUSE Linux is my linux
openSUSE is good for you
www.opensuse.org
Updated by usa (Usaku NAKAMURA) over 8 years ago
Marcus Rückert wrote:
the /dumpenv chunk from the patch looks like left over debug code
It's not debug code. It's the test for verification.
Updated by Anonymous over 8 years ago
- Status changed from Open to Closed
Applied in changeset r55731.
webrick: filter out HTTP_PROXY for CGIHandler
- lib/webrick/httpservlet/cgihandler.rb (do_GET): delete HTTP_PROXY
- test/webrick/test_cgi.rb (test_cgi_env): new test
- test/webrick/webrick.cgi (do_GET): new endpoint to dump env
[ruby-core:76511] [Bug #12610]
Updated by normalperson (Eric Wong) over 8 years ago
Marcus Rueckert darix@opensu.se wrote:
On 2016-07-22 02:03:14 +0000, nagachika00@gmail.com wrote:
0001-webrick-filter-out-HTTP_PROXY-for-CGIHandler.patch (2.46 KB)
the /dumpenv chunk from the patch looks like left over debug code
Nope, it's part of the test case as usa said.
Committed as r55731
Updated by nagachika (Tomoyuki Chikanaga) over 8 years ago
- Backport changed from 2.1: REQUIRED, 2.2: REQUIRED, 2.3: REQUIRED to 2.1: REQUIRED, 2.2: REQUIRED, 2.3: DONE
ruby_2_3 r55791 merged revision(s) 55731.
Updated by usa (Usaku NAKAMURA) over 8 years ago
- Backport changed from 2.1: REQUIRED, 2.2: REQUIRED, 2.3: DONE to 2.1: REQUIRED, 2.2: DONE, 2.3: DONE
ruby_2_2 r55923 merged revision(s) 55731.