Details at: https://httpoxy.org/

Basic idea AFAICT after a fast read.

If an HTTP header called PROXY is sent by the client, the CGI will see
that in its environment as HTTP_PROXY.

If the server does any http url retrievals (i.e. acts as an http
client), it may use HTTP_PROXY as it is a well known environment
variable for setting a proxy for an http client.

AFAIK the roundup core does no HTTP retrievals. However detectors and
the concept behind issue2550923 (Create new Computed property type)
could certainly do remote rest or oher http lookups.

I think this can be defended from by erasing the HTTP_PROXY setting in
the env array. People that require http proxies in their detectors
etc. can set that in the config.ini and explicitly use it.