[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#436520: There is no policy on HTTP_PROXY variable, can we create one?

On Fri, 17 Aug 2007, Junichi Uekawa wrote:
> HTTP_PROXY, or http_proxy (and ftp_proxy) is used in many
> applications within Debian.
> 
> There is a well-known remote attack using HTTP_* variables can be
> set to arbitrary values for CGI scripts, and thus there is a need
> for protection against that.

Is there any reason why programs which use HTTP_PROXY can't check
GATEWAY_INTERFACE, SERVER_NAME, REQUEST_METHOD or similar and ignore
the capitalized env variable in such a case?

[For reference, LWP ignores HTTP_PROXY for CGI_HTTP_PROXY in the
presence of REQUEST_METHOD.]

The alternative is just to require CGIs to unset HTTP_PROXY (though
CGI writers sometimes aren't terribly aware of these things.)


Don Armstrong

-- 
"It's not Hollywood. War is real, war is primarily not about defeat or
victory, it is about death. I've seen thousands and thousands of dead
bodies. Do you think I want to have an academic debate on this
subject?"
 -- Robert Fisk

http://www.donarmstrong.com              http://rzlab.ucr.edu
Reply to: