Message5081
Hello John.
> I am wondering if there are an security implications as a result of
> converting all headers to environment variables?
1. Environment variable prefixed by HTTP_ always treated as externally
defined variable. So it is assumed that they are on the evil side.
2. Roundup-tracker (RT) manually set they own "env" dictionary after
headersToEnviron() fill this dictionary. If some variable name
collision occur RT win because of it last word. As i see.
> If the headersToEnviron() function is only being used to ensure that the
> one header specified by the WEB_UID_VARIABLE is set as an environment
> variable, might it be better to convert only that one header to an
> environment variable instead of all of them?
3. RT manually hardcode only 5 variable (see code). As i remember there
are more than 5 in HTTP standart. May be, the better way is to just
remove this code and rely on headersToEnviron() function only.
Code (roundup-server.py):
if co:
env['HTTP_COOKIE'] = ', '.join(co)
env['HTTP_AUTHORIZATION'] = self.headers.getheader('authorization')
env['SCRIPT_NAME'] = ''
env['SERVER_NAME'] = self.server.server_name
env['SERVER_PORT'] = str(self.server.server_port)
try:
env['HTTP_HOST'] = self.headers ['host']
except KeyError:
env['HTTP_HOST'] = ''
if os.environ.has_key('CGI_SHOW_TIMING'):
env['CGI_SHOW_TIMING'] = os.environ['CGI_SHOW_TIMING']
env['HTTP_ACCEPT_LANGUAGE'] = self.headers.get('accept-language')
range = self.headers.getheader('range')
if range:
env['HTTP_RANGE'] = range |
|
Date |
User |
Action |
Args |
2014-04-15 08:29:08 | antmail | set | messageid: <1397550548.69.0.776853314948.issue2550837@psf.upfronthosting.co.za> |
2014-04-15 08:29:08 | antmail | set | recipients:
+ antmail, ber, jerrykan |
2014-04-15 08:29:08 | antmail | link | issue2550837 messages |
2014-04-15 08:29:07 | antmail | create | |
|