Roundup Tracker - Issues

Issue 2550925

classification
Title: Is roundup affected by faked HTTP_PROXY cgi setting?
Type: security Severity: normal
Components: Versions:
process
Status: new Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: rouilj, schlatterbeck
Priority: high Keywords:

Created on 2016-07-18 21:53 by rouilj, last changed 2016-07-19 13:12 by rouilj.

Messages
msg5871 Author: [hidden] (rouilj) Date: 2016-07-18 21:53
Details at: https://httpoxy.org/

Basic idea AFAICT after a fast read.

If an HTTP header called PROXY is sent by the client, the CGI will see
that in its environment as HTTP_PROXY.

If the server does any http url retrievals (i.e. acts as an http
client), it may use HTTP_PROXY as it is a well known environment
variable for setting a proxy for an http client.

AFAIK the roundup core does no HTTP retrievals. However detectors and
the concept behind issue2550923 (Create new Computed property type)
could certainly do remote rest or oher http lookups.

I think this can be defended from by erasing the HTTP_PROXY setting in
the env array. People that require http proxies in their detectors
etc. can set that in the config.ini and explicitly use it.
msg5873 Author: [hidden] (schlatterbeck) Date: 2016-07-19 10:13
On Mon, Jul 18, 2016 at 09:53:33PM +0000, John Rouillard wrote:
> If an HTTP header called PROXY is sent by the client, the CGI will see
> that in its environment as HTTP_PROXY.
> 
> If the server does any http url retrievals (i.e. acts as an http
> client), it may use HTTP_PROXY as it is a well known environment
> variable for setting a proxy for an http client.

Isn't the standard http_proxy environment variable in lowercase (on
Linux at least)?
msg5875 Author: [hidden] (rouilj) Date: 2016-07-19 13:12
In message <20160719101320.GC24820@runtux.com>,
Ralf Schlatterbeck writes:
>
>Ralf Schlatterbeck added the comment:
>
>On Mon, Jul 18, 2016 at 09:53:33PM +0000, John Rouillard wrote:
>> If an HTTP header called PROXY is sent by the client, the CGI will see
>> that in its environment as HTTP_PROXY.
>> 
>> If the server does any http url retrievals (i.e. acts as an http
>> client), it may use HTTP_PROXY as it is a well known environment
>> variable for setting a proxy for an http client.
>
>Isn't the standard http_proxy environment variable in lowercase (on
>Linux at least)?

Depends. Some packages will accept upper or lower case according to
the web site.

Curl only accepts lower case for http_proxy but accepts upper or lower
case for HTTPS_PROXY. That inconsistancy is probably because of this
bug. So this bug won't be a problem for somebody who uses PyCURL to
grab a remote url.

But for others???
History
Date User Action Args
2016-07-19 13:12:01rouiljsetmessages: + msg5875
2016-07-19 10:13:24schlatterbecksetnosy: + schlatterbeck
messages: + msg5873
2016-07-18 22:00:28rouiljsetpriority: high
2016-07-18 21:53:33rouiljcreate