Project

General

Profile

Actions

Bug #12610

closed

webrick: protect from httpoxy

Added by normalperson (Eric Wong) almost 5 years ago. Updated almost 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
[ruby-core:76511]

Description

See problem documented at https://httpoxy.org/

Sorry my Internet connection is crap and I keep dropping.
Hope to commit within 24 hours.


Files

Updated by nagachika (Tomoyuki Chikanaga) almost 5 years ago

As noted in the article (https://httproxy.org/), Net::HTTP and URI::Generic.find_proxy has mitigation about this vulnerability.
The remaining issue was that when external programs was spawned in cgi handlers could be effected by HTTP_PROXY env. Is it right?

I don't have ssh key right now, I can commit it and backport at tonight.
How about the stable package releases?
Unfortunately I'm going to be offline this weekend. I can handle the release work on the next monday's night at the fastest.

Updated by darix (Marcus Rückert) almost 5 years ago

On 2016-07-22 02:03:14 +0000, nagachika00@gmail.com wrote:

0001-webrick-filter-out-HTTP_PROXY-for-CGIHandler.patch (2.46 KB)

the /dumpenv chunk from the patch looks like left over debug code

--
openSUSE - SUSE Linux is my linux
openSUSE is good for you
www.opensuse.org

Updated by usa (Usaku NAKAMURA) almost 5 years ago

Marcus Rückert wrote:

the /dumpenv chunk from the patch looks like left over debug code

It's not debug code. It's the test for verification.

Actions #4

Updated by Anonymous almost 5 years ago

  • Status changed from Open to Closed

Applied in changeset r55731.


webrick: filter out HTTP_PROXY for CGIHandler

  • lib/webrick/httpservlet/cgihandler.rb (do_GET): delete HTTP_PROXY
  • test/webrick/test_cgi.rb (test_cgi_env): new test
  • test/webrick/webrick.cgi (do_GET): new endpoint to dump env [ruby-core:76511] [Bug #12610]

Updated by normalperson (Eric Wong) almost 5 years ago

Marcus Rueckert darix@opensu.se wrote:

On 2016-07-22 02:03:14 +0000, nagachika00@gmail.com wrote:

0001-webrick-filter-out-HTTP_PROXY-for-CGIHandler.patch (2.46 KB)

the /dumpenv chunk from the patch looks like left over debug code

Nope, it's part of the test case as usa said.

Committed as r55731

Updated by nagachika (Tomoyuki Chikanaga) almost 5 years ago

  • Backport changed from 2.1: REQUIRED, 2.2: REQUIRED, 2.3: REQUIRED to 2.1: REQUIRED, 2.2: REQUIRED, 2.3: DONE

ruby_2_3 r55791 merged revision(s) 55731.

Updated by usa (Usaku NAKAMURA) almost 5 years ago

  • Backport changed from 2.1: REQUIRED, 2.2: REQUIRED, 2.3: DONE to 2.1: REQUIRED, 2.2: DONE, 2.3: DONE

ruby_2_2 r55923 merged revision(s) 55731.

Actions

Also available in: Atom PDF