If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Protect against the HTTPoxy attack (HTTP_PROXY spoofing)

RESOLVED WORKSFORME

Status

()

Bugzilla
Bugzilla-General
RESOLVED WORKSFORME
a year ago
a year ago

People

(Reporter: dylan, Unassigned)

Tracking

5.1.1

Details

(Reporter)

Description

a year ago
I think taint mode actually protects us in this case, but we should ensure extra measures.

See also: https://httpoxy.org/
(Reporter)

Updated

a year ago
See Also: → bug 1287484
(Reporter)

Comment 1

a year ago
We don't use $ua->env_proxy anyway, but even if we did:

https://metacpan.org/pod/LWP::UserAgent#ua-env_proxy

> On systems with case insensitive environment variables there exists a name clash between 
> the CGI environment variables and the HTTP_PROXY environment variable normally picked up by env_proxy(). 
> Because of this HTTP_PROXY is not honored for CGI scripts. 
> The CGI_HTTP_PROXY environment variable can be used instead.

That said, I welcome an excuse to sanitize %ENV and force all code to use the $cgi object
(so that we can eventually replace it with a Plack::Request object)
(Reporter)

Comment 2

a year ago
perl's libraries have been immune to this since 2001.
Status: UNCONFIRMED → RESOLVED
Last Resolved: a year ago
Resolution: --- → WORKSFORME

Updated

a year ago
Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.