[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#436520: There is no policy on HTTP_PROXY variable, can we create one?


> > HTTP_PROXY, or http_proxy (and ftp_proxy) is used in many
> > applications within Debian.
> > 
> > There is a well-known remote attack using HTTP_* variables can be
> > set to arbitrary values for CGI scripts, and thus there is a need
> > for protection against that.
> Is there any reason why programs which use HTTP_PROXY can't check
> the capitalized env variable in such a case?
> [For reference, LWP ignores HTTP_PROXY for CGI_HTTP_PROXY in the
> presence of REQUEST_METHOD.]
> The alternative is just to require CGIs to unset HTTP_PROXY (though
> CGI writers sometimes aren't terribly aware of these things.)

I think there also is a bit of confusion with handling of HTTP_PROXY
and http_proxy.

Looking at apache source, you can set 'HTTP_*' to arbitrary values,
and thus 'HTTP_PROXY' is a remotely modifiable variable, but
'http_proxy' is not.

That seems like the reason for some application to move into
lower-case http_proxy instead of HTTP_PROXY.

I don't quite fully understand the reasoning behind

1.  HTTP_PROXY is still used

2.  http_proxy is used and environment is checked for CGI invocation
(it should be safe, right?)

Could someone shed some light on this?

dancer@{debian.org,netfort.gr.jp}   Debian Project

Reply to: