Bug#436520: There is no policy on HTTP_PROXY variable, can we create one?
On Fri, 17 Aug 2007, Junichi Uekawa wrote:
> HTTP_PROXY, or http_proxy (and ftp_proxy) is used in many
> applications within Debian.
> There is a well-known remote attack using HTTP_* variables can be
> set to arbitrary values for CGI scripts, and thus there is a need
> for protection against that.
Is there any reason why programs which use HTTP_PROXY can't check
GATEWAY_INTERFACE, SERVER_NAME, REQUEST_METHOD or similar and ignore
the capitalized env variable in such a case?
[For reference, LWP ignores HTTP_PROXY for CGI_HTTP_PROXY in the
presence of REQUEST_METHOD.]
The alternative is just to require CGIs to unset HTTP_PROXY (though
CGI writers sometimes aren't terribly aware of these things.)
"It's not Hollywood. War is real, war is primarily not about defeat or
victory, it is about death. I've seen thousands and thousands of dead
bodies. Do you think I want to have an academic debate on this
-- Robert Fisk