1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
|
From cb25fbd5abc0f4eb07dbb8ea819e9c26bda4fc99 Mon Sep 17 00:00:00 2001
From: Senthil Kumaran <senthil@uthcode.com>
Date: Sat, 30 Jul 2016 05:49:53 -0700
Subject: [PATCH] python: fix CVE-2016-1000110
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Prevent HTTPoxy attack (CVE-2016-1000110)
Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which
indicates that the script is in CGI mode.
Issue reported and patch contributed by Rémi Rampin.
Backport patch from https://hg.python.org/cpython/rev/ba915d561667/
Upstream-Status: Backport
CVE: CVE-2016-1000110
Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
Copied this file from morty since the old one didn't apply to python 2.7.12.
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
Doc/howto/urllib2.rst | 5 +++++
Doc/library/urllib.rst | 10 ++++++++++
Doc/library/urllib2.rst | 5 +++++
Lib/test/test_urllib.py | 12 ++++++++++++
Lib/urllib.py | 9 +++++++++
Misc/ACKS | 1 +
Misc/NEWS | 4 ++++
7 files changed, 46 insertions(+)
diff --git a/Doc/howto/urllib2.rst b/Doc/howto/urllib2.rst
index 6bb06d4..5cf2c0c 100644
--- a/Doc/howto/urllib2.rst
+++ b/Doc/howto/urllib2.rst
@@ -525,6 +525,11 @@ setting up a `Basic Authentication`_ handler: ::
through a proxy. However, this can be enabled by extending urllib2 as
shown in the recipe [#]_.
+.. note::
+
+ ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set; see
+ the documentation on :func:`~urllib.getproxies`.
+
Sockets and Layers
==================
diff --git a/Doc/library/urllib.rst b/Doc/library/urllib.rst
index 3b5dc16..bddcba9 100644
--- a/Doc/library/urllib.rst
+++ b/Doc/library/urllib.rst
@@ -295,6 +295,16 @@ Utility functions
If both lowercase and uppercase environment variables exist (and disagree),
lowercase is preferred.
+ .. note::
+
+ If the environment variable ``REQUEST_METHOD`` is set, which usually
+ indicates your script is running in a CGI environment, the environment
+ variable ``HTTP_PROXY`` (uppercase ``_PROXY``) will be ignored. This is
+ because that variable can be injected by a client using the "Proxy:"
+ HTTP header. If you need to use an HTTP proxy in a CGI environment,
+ either use ``ProxyHandler`` explicitly, or make sure the variable name
+ is in lowercase (or at least the ``_proxy`` suffix).
+
.. note::
urllib also exposes certain utility functions like splittype, splithost and
others parsing URL into various components. But it is recommended to use
diff --git a/Doc/library/urllib2.rst b/Doc/library/urllib2.rst
index 8a4c80e..b808b98 100644
--- a/Doc/library/urllib2.rst
+++ b/Doc/library/urllib2.rst
@@ -229,6 +229,11 @@ The following classes are provided:
To disable autodetected proxy pass an empty dictionary.
+ .. note::
+
+ ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set;
+ see the documentation on :func:`~urllib.getproxies`.
+
.. class:: HTTPPasswordMgr()
diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
index 434d533..27a1d38 100644
--- a/Lib/test/test_urllib.py
+++ b/Lib/test/test_urllib.py
@@ -170,6 +170,18 @@ class ProxyTests(unittest.TestCase):
self.assertTrue(urllib.proxy_bypass_environment('anotherdomain.com:8888'))
self.assertTrue(urllib.proxy_bypass_environment('newdomain.com:1234'))
+ def test_proxy_cgi_ignore(self):
+ try:
+ self.env.set('HTTP_PROXY', 'http://somewhere:3128')
+ proxies = urllib.getproxies_environment()
+ self.assertEqual('http://somewhere:3128', proxies['http'])
+ self.env.set('REQUEST_METHOD', 'GET')
+ proxies = urllib.getproxies_environment()
+ self.assertNotIn('http', proxies)
+ finally:
+ self.env.unset('REQUEST_METHOD')
+ self.env.unset('HTTP_PROXY')
+
def test_proxy_bypass_environment_host_match(self):
bypass = urllib.proxy_bypass_environment
self.env.set('NO_PROXY',
diff --git a/Lib/urllib.py b/Lib/urllib.py
index 139fab9..c3ba2c9 100644
--- a/Lib/urllib.py
+++ b/Lib/urllib.py
@@ -1380,12 +1380,21 @@ def getproxies_environment():
If you need a different way, you can pass a proxies dictionary to the
[Fancy]URLopener constructor.
"""
+ # Get all variables
proxies = {}
for name, value in os.environ.items():
name = name.lower()
if value and name[-6:] == '_proxy':
proxies[name[:-6]] = value
+ # CVE-2016-1000110 - If we are running as CGI script, forget HTTP_PROXY
+ # (non-all-lowercase) as it may be set from the web server by a "Proxy:"
+ # header from the client
+ # If "proxy" is lowercase, it will still be used thanks to the next block
+ if 'REQUEST_METHOD' in os.environ:
+ proxies.pop('http', None)
+
+ # Get lowercase variables
for name, value in os.environ.items():
if name[-6:] == '_proxy':
name = name.lower()
diff --git a/Misc/ACKS b/Misc/ACKS
index ee3a465..9c374b7 100644
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -1121,6 +1121,7 @@ Burton Radons
Jeff Ramnani
Varpu Rantala
Brodie Rao
+Rémi Rampin
Senko Rasic
Antti Rasinen
Nikolaus Rath
diff --git a/Misc/NEWS b/Misc/NEWS
index 4ab3a70..cc2f65b 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -187,6 +187,10 @@ Library
- Issue #26644: Raise ValueError rather than SystemError when a negative
length is passed to SSLSocket.recv() or read().
+- Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the
+ HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates
+ that the script is in CGI mode.
+
- Issue #23804: Fix SSL recv(0) and read(0) methods to return zero bytes
instead of up to 1024.
--
2.8.1
|
