There is no policy on HTTP_PROXY variable, can we create one?
reassign 436520 general
retitle There is no policy on HTTP_PROXY variable
thanks
Hi,
I'm reassigning this bug to Debian in general. I feel a Deja-Vu about
this, I thought I already discussed it somewhere but cannot find it
anywhere.
HTTP_PROXY, or http_proxy (and ftp_proxy) is used in many applications
within Debian.
There is a well-known remote attack using HTTP_* variables can be set
to arbitrary values for CGI scripts, and thus there is a need for
protection against that.
The main problem is that each application has went its own way in
implementing that protection. For example, ruby SOAP interface
requires SOAP_USE_PROXY variable is set before honoring the value of
http_proxy.
I am guessing the it is only possible to set the upper-case variant
through CGIs, and that vulnerability will be avoided through
restricting the use to 'http_proxy' and not 'HTTP_PROXY' but I have
not gotten around to verifying it.
I'd like the following to happen.
1. if there has been such discussion before
2. gather information about vulnerabilities for HTTP_PROXY, and http_proxy
3. gather concensus around HTTP_PROXY handling
4. Implement the change in individual applications (or programming
language libraries)
5. finally document it in Debian policy or somewhere suitable.
regards,
junichi
--
dancer@{debian.org,netfort.gr.jp} Debian Project
Reply to: