Roundup Tracker - Issues

Issue 2550925

classification
Title: Is roundup affected by faked HTTP_PROXY cgi setting?
Type: security Severity: normal
Components: Web interface Versions:
process
Status: pending Resolution:
Dependencies: Superseder:
Assigned To: rouilj Nosy List: rouilj, schlatterbeck
Priority: high Keywords:

Created on 2016-07-18 21:53 by rouilj, last changed 2019-10-13 21:32 by rouilj.

Messages
msg5871 Author: [hidden] (rouilj) Date: 2016-07-18 21:53
Details at: https://httpoxy.org/

Basic idea AFAICT after a fast read.

If an HTTP header called PROXY is sent by the client, the CGI will see
that in its environment as HTTP_PROXY.

If the server does any http url retrievals (i.e. acts as an http
client), it may use HTTP_PROXY as it is a well known environment
variable for setting a proxy for an http client.

AFAIK the roundup core does no HTTP retrievals. However detectors and
the concept behind issue2550923 (Create new Computed property type)
could certainly do remote rest or oher http lookups.

I think this can be defended from by erasing the HTTP_PROXY setting in
the env array. People that require http proxies in their detectors
etc. can set that in the config.ini and explicitly use it.
msg5873 Author: [hidden] (schlatterbeck) Date: 2016-07-19 10:13
On Mon, Jul 18, 2016 at 09:53:33PM +0000, John Rouillard wrote:
> If an HTTP header called PROXY is sent by the client, the CGI will see
> that in its environment as HTTP_PROXY.
> 
> If the server does any http url retrievals (i.e. acts as an http
> client), it may use HTTP_PROXY as it is a well known environment
> variable for setting a proxy for an http client.

Isn't the standard http_proxy environment variable in lowercase (on
Linux at least)?
msg5875 Author: [hidden] (rouilj) Date: 2016-07-19 13:12
In message <20160719101320.GC24820@runtux.com>,
Ralf Schlatterbeck writes:
>
>Ralf Schlatterbeck added the comment:
>
>On Mon, Jul 18, 2016 at 09:53:33PM +0000, John Rouillard wrote:
>> If an HTTP header called PROXY is sent by the client, the CGI will see
>> that in its environment as HTTP_PROXY.
>> 
>> If the server does any http url retrievals (i.e. acts as an http
>> client), it may use HTTP_PROXY as it is a well known environment
>> variable for setting a proxy for an http client.
>
>Isn't the standard http_proxy environment variable in lowercase (on
>Linux at least)?

Depends. Some packages will accept upper or lower case according to
the web site.

Curl only accepts lower case for http_proxy but accepts upper or lower
case for HTTPS_PROXY. That inconsistancy is probably because of this
bug. So this bug won't be a problem for somebody who uses PyCURL to
grab a remote url.

But for others???
msg6739 Author: [hidden] (rouilj) Date: 2019-10-13 21:32
Added the following to roundup/cgi/client.py-Client::main()

        # strip HTTP_PROXY issue2550925 in case                                 
        # PROXY header is set.                                                  
        if 'HTTP_PROXY' in self.env:
            del(self.env['HTTP_PROXY'])
        if 'HTTP_PROXY' in os.environ:
            del(os.environ['HTTP_PROXY'])

This removes the variable from code flows in the rest, xmlrpc and
inner_main (web) interface.

Any review notes Ralf?
History
Date User Action Args
2019-10-13 21:32:47rouiljsetstatus: new -> pending
assignee: rouilj
messages: + msg6739
components: + Web interface
2016-07-19 13:12:01rouiljsetmessages: + msg5875
2016-07-19 10:13:24schlatterbecksetnosy: + schlatterbeck
messages: + msg5873
2016-07-18 22:00:28rouiljsetpriority: high
2016-07-18 21:53:33rouiljcreate