Bug #12610: webrick: protect from httpoxy - Ruby - Ruby Issue Tracking System

Custom queries

Backport 3.2
Backport 3.3
Backport 3.4
bugs: unassigned
DevMeeting
matz
Open issues with attachment
Windows

Actions

Copy link

Bug #12610

closed

webrick: protect from httpoxy

Added by normalperson (Eric Wong) almost 9 years ago. Updated over 8 years ago.

Status:

Closed

Assignee:

Target version:

ruby -v:

Backport:

2.1: REQUIRED, 2.2: DONE, 2.3: DONE

[ruby-core:76511]

Description

See problem documented at https://httpoxy.org/

Sorry my Internet connection is crap and I keep dropping.
Hope to commit within 24 hours.

Files

0001-webrick-filter-out-HTTP_PROXY-for-CGIHandler.patch (2.46 KB) 0001-webrick-filter-out-HTTP_PROXY-for-CGIHandler.patch

normalperson (Eric Wong), 07/21/2016 09:59 PM

History
Notes
Property changes
Associated revisions

Actions

Copy link

#1 [ruby-core:76515]

Updated by nagachika (Tomoyuki Chikanaga) almost 9 years ago

As noted in the article (https://httproxy.org/), Net::HTTP and URI::Generic.find_proxy has mitigation about this vulnerability.
The remaining issue was that when external programs was spawned in cgi handlers could be effected by HTTP_PROXY env. Is it right?

I don't have ssh key right now, I can commit it and backport at tonight.
How about the stable package releases?
Unfortunately I'm going to be offline this weekend. I can handle the release work on the next monday's night at the fastest.

Actions

Copy link

#2 [ruby-core:76516]

Updated by darix (Marcus Rückert) almost 9 years ago

On 2016-07-22 02:03:14 +0000, nagachika00@gmail.com wrote:

0001-webrick-filter-out-HTTP_PROXY-for-CGIHandler.patch (2.46 KB)

the /dumpenv chunk from the patch looks like left over debug code

--
openSUSE - SUSE Linux is my linux
openSUSE is good for you
www.opensuse.org

Actions

Copy link

#3 [ruby-core:76518]

Updated by usa (Usaku NAKAMURA) almost 9 years ago

Marcus Rückert wrote:

the /dumpenv chunk from the patch looks like left over debug code

It's not debug code. It's the test for verification.

Actions

Copy link

Updated by Anonymous almost 9 years ago

Status changed from Open to Closed

Applied in changeset r55731.

webrick: filter out HTTP_PROXY for CGIHandler

lib/webrick/httpservlet/cgihandler.rb (do_GET): delete HTTP_PROXY
test/webrick/test_cgi.rb (test_cgi_env): new test
test/webrick/webrick.cgi (do_GET): new endpoint to dump env
[ruby-core:76511] [Bug #12610]

Actions

Copy link

#5 [ruby-core:76530]

Updated by normalperson (Eric Wong) almost 9 years ago

Marcus Rueckert darix@opensu.se wrote:

On 2016-07-22 02:03:14 +0000, nagachika00@gmail.com wrote:

0001-webrick-filter-out-HTTP_PROXY-for-CGIHandler.patch (2.46 KB)

the /dumpenv chunk from the patch looks like left over debug code

Nope, it's part of the test case as usa said.

Committed as r55731

Actions

Copy link

#6 [ruby-core:76643]

Updated by nagachika (Tomoyuki Chikanaga) almost 9 years ago

Backport changed from 2.1: REQUIRED, 2.2: REQUIRED, 2.3: REQUIRED to 2.1: REQUIRED, 2.2: REQUIRED, 2.3: DONE

ruby_2_3 r55791 merged revision(s) 55731.

Actions

Copy link

#7 [ruby-core:76910]

Updated by usa (Usaku NAKAMURA) over 8 years ago

Backport changed from 2.1: REQUIRED, 2.2: REQUIRED, 2.3: DONE to 2.1: REQUIRED, 2.2: DONE, 2.3: DONE

ruby_2_2 r55923 merged revision(s) 55731.

Actions

Copy link

Also available in: Atom PDF

Like0

Like0Like0Like0Like0Like0Like0Like0

Project

General

Profile

Ruby

Custom queries

Bug #12610

webrick: protect from httpoxy

Updated by nagachika (Tomoyuki Chikanaga) almost 9 years ago

Updated by darix (Marcus Rückert) almost 9 years ago

Updated by usa (Usaku NAKAMURA) almost 9 years ago

Updated by Anonymous almost 9 years ago

Updated by normalperson (Eric Wong) almost 9 years ago

Updated by nagachika (Tomoyuki Chikanaga) almost 9 years ago

Updated by usa (Usaku NAKAMURA) over 8 years ago