Bug#436520: There is no policy on HTTP_PROXY variable, can we create one?
Hi,
> > HTTP_PROXY, or http_proxy (and ftp_proxy) is used in many
> > applications within Debian.
> >
> > There is a well-known remote attack using HTTP_* variables can be
> > set to arbitrary values for CGI scripts, and thus there is a need
> > for protection against that.
>
> Is there any reason why programs which use HTTP_PROXY can't check
> GATEWAY_INTERFACE, SERVER_NAME, REQUEST_METHOD or similar and ignore
> the capitalized env variable in such a case?
>
> [For reference, LWP ignores HTTP_PROXY for CGI_HTTP_PROXY in the
> presence of REQUEST_METHOD.]
>
> The alternative is just to require CGIs to unset HTTP_PROXY (though
> CGI writers sometimes aren't terribly aware of these things.)
I think there also is a bit of confusion with handling of HTTP_PROXY
and http_proxy.
Looking at apache source, you can set 'HTTP_*' to arbitrary values,
and thus 'HTTP_PROXY' is a remotely modifiable variable, but
'http_proxy' is not.
That seems like the reason for some application to move into
lower-case http_proxy instead of HTTP_PROXY.
I don't quite fully understand the reasoning behind
1. HTTP_PROXY is still used
2. http_proxy is used and environment is checked for CGI invocation
(it should be safe, right?)
Could someone shed some light on this?
regards,
junichi
--
dancer@{debian.org,netfort.gr.jp} Debian Project
Reply to: