[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wheezy update of twisted?


I had a quick look at the code too (both in wheezy and jessie), but I couldn't find the offending bits. Perhaps it'd be good to put together a small web server and see what happens when you pass the 'Proxy' header.


On 5 August 2016 at 10:26, Brian May <bam@debian.org> wrote:
This security vulnerability is described here:



"sets environmental variable based on user supplied Proxy request

In particular it is talking about HTTP_PROXY, and it only a problem if
the server makes an outgoing HTTP request using this value.

Looking at this, I am inclined to say this isn't a security issue in
twisted itself, rather some unspecified applications that use twisted.

Just trying to double check this. I can't find any references
(case-insensitive) of "HTTP_PROXY" in the twisted source however.

This appears to be confirmed by the first sentence in the redhat bug

"Many software projects and vendors have implemented support for the
“Proxy” request header in their respective CGI implementations and
languages by creating the “HTTP_PROXY” environmental variable based on
the header value."

There are a number of projects in Debian that use twisted, should we
check each one?

Sure would be good if I had an example application that was confirmed
Brian May <bam@debian.org>

Reply to: