Roundup Tracker - Issues


Author antmail
Recipients antmail, ber, jerrykan
Date 2014-04-15.08:29:07
Message-id <>
Hello John.

> I am wondering if there are an security implications as a result of
> converting all headers to environment variables?

1. Environment variable prefixed by HTTP_ always treated as externally
defined variable. So it is assumed that they are on the evil side.

2.  Roundup-tracker  (RT) manually set they own "env" dictionary after
headersToEnviron()   fill  this  dictionary.  If  some  variable  name
collision  occur  RT win because of it last word.  As i see.

> If the headersToEnviron() function is only being used to ensure that the
> one header specified by the WEB_UID_VARIABLE is set as an environment
> variable, might it be better to convert only that one header to an
> environment variable instead of all of them?

3. RT manually hardcode only 5 variable (see code). As i remember there
are more  than  5  in  HTTP standart.  May be, the better way is to just
remove this code and rely on  headersToEnviron() function only.

Code (
        if co:
            env['HTTP_COOKIE'] = ', '.join(co)
        env['HTTP_AUTHORIZATION'] = self.headers.getheader('authorization')
        env['SCRIPT_NAME'] = ''
        env['SERVER_NAME'] = self.server.server_name
        env['SERVER_PORT'] = str(self.server.server_port)
            env['HTTP_HOST'] = self.headers ['host']
        except KeyError:
            env['HTTP_HOST'] = ''
        if os.environ.has_key('CGI_SHOW_TIMING'):
            env['CGI_SHOW_TIMING'] = os.environ['CGI_SHOW_TIMING']
        env['HTTP_ACCEPT_LANGUAGE'] = self.headers.get('accept-language')
        range = self.headers.getheader('range')
        if range:
            env['HTTP_RANGE'] = range
Date User Action Args
2014-04-15 08:29:08antmailsetmessageid: <>
2014-04-15 08:29:08antmailsetrecipients: + antmail, ber, jerrykan
2014-04-15 08:29:08antmaillinkissue2550837 messages
2014-04-15 08:29:07antmailcreate