Issue 2550925
Created on 2016-07-18 21:53 by rouilj, last changed 2020-11-15 23:09 by rouilj.
|
| msg5871 |
Author: [hidden] (rouilj) |
Date: 2016-07-18 21:53 |
|
Details at: https://httpoxy.org/
Basic idea AFAICT after a fast read.
If an HTTP header called PROXY is sent by the client, the CGI will see
that in its environment as HTTP_PROXY.
If the server does any http url retrievals (i.e. acts as an http
client), it may use HTTP_PROXY as it is a well known environment
variable for setting a proxy for an http client.
AFAIK the roundup core does no HTTP retrievals. However detectors and
the concept behind issue2550923 (Create new Computed property type)
could certainly do remote rest or oher http lookups.
I think this can be defended from by erasing the HTTP_PROXY setting in
the env array. People that require http proxies in their detectors
etc. can set that in the config.ini and explicitly use it.
|
| msg5873 |
Author: [hidden] (schlatterbeck) |
Date: 2016-07-19 10:13 |
|
On Mon, Jul 18, 2016 at 09:53:33PM +0000, John Rouillard wrote:
> If an HTTP header called PROXY is sent by the client, the CGI will see
> that in its environment as HTTP_PROXY.
>
> If the server does any http url retrievals (i.e. acts as an http
> client), it may use HTTP_PROXY as it is a well known environment
> variable for setting a proxy for an http client.
Isn't the standard http_proxy environment variable in lowercase (on
Linux at least)?
|
| msg5875 |
Author: [hidden] (rouilj) |
Date: 2016-07-19 13:12 |
|
In message <20160719101320.GC24820@runtux.com>,
Ralf Schlatterbeck writes:
>
>Ralf Schlatterbeck added the comment:
>
>On Mon, Jul 18, 2016 at 09:53:33PM +0000, John Rouillard wrote:
>> If an HTTP header called PROXY is sent by the client, the CGI will see
>> that in its environment as HTTP_PROXY.
>>
>> If the server does any http url retrievals (i.e. acts as an http
>> client), it may use HTTP_PROXY as it is a well known environment
>> variable for setting a proxy for an http client.
>
>Isn't the standard http_proxy environment variable in lowercase (on
>Linux at least)?
Depends. Some packages will accept upper or lower case according to
the web site.
Curl only accepts lower case for http_proxy but accepts upper or lower
case for HTTPS_PROXY. That inconsistancy is probably because of this
bug. So this bug won't be a problem for somebody who uses PyCURL to
grab a remote url.
But for others???
|
| msg6739 |
Author: [hidden] (rouilj) |
Date: 2019-10-13 21:32 |
|
Added the following to roundup/cgi/client.py-Client::main()
# strip HTTP_PROXY issue2550925 in case
# PROXY header is set.
if 'HTTP_PROXY' in self.env:
del(self.env['HTTP_PROXY'])
if 'HTTP_PROXY' in os.environ:
del(os.environ['HTTP_PROXY'])
This removes the variable from code flows in the rest, xmlrpc and
inner_main (web) interface.
Any review notes Ralf?
|
| msg7029 |
Author: [hidden] (rouilj) |
Date: 2020-11-15 23:09 |
|
Closing. New code path has test and is being tested according to codecov.
|
|
| Date |
User |
Action |
Args |
| 2020-11-15 23:09:33 | rouilj | set | status: pending -> fixed
resolution: fixed |
| 2020-11-15 23:09:19 | rouilj | set | messages:
+ msg7029 |
| 2019-10-13 21:32:47 | rouilj | set | status: new -> pending
assignee: rouilj
messages:
+ msg6739
components:
+ Web interface |
| 2016-07-19 13:12:01 | rouilj | set | messages:
+ msg5875 |
| 2016-07-19 10:13:24 | schlatterbeck | set | nosy:
+ schlatterbeck
messages:
+ msg5873 |
| 2016-07-18 22:00:28 | rouilj | set | priority: high |
| 2016-07-18 21:53:33 | rouilj | create | |
|