webrick: protect from httpoxy
See problem documented at https://httpoxy.org/
Sorry my Internet connection is crap and I keep dropping.
Hope to commit within 24 hours.
Updated by nagachika (Tomoyuki Chikanaga) over 4 years ago
As noted in the article (https://httproxy.org/), Net::HTTP and URI::Generic.find_proxy has mitigation about this vulnerability.
The remaining issue was that when external programs was spawned in cgi handlers could be effected by HTTP_PROXY env. Is it right?
I don't have ssh key right now, I can commit it and backport at tonight.
How about the stable package releases?
Unfortunately I'm going to be offline this weekend. I can handle the release work on the next monday's night at the fastest.
Updated by darix (Marcus Rückert) over 4 years ago
Updated by Anonymous over 4 years ago
- Status changed from Open to Closed
Applied in changeset r55731.
webrick: filter out HTTP_PROXY for CGIHandler
- lib/webrick/httpservlet/cgihandler.rb (do_GET): delete HTTP_PROXY
- test/webrick/test_cgi.rb (test_cgi_env): new test
- test/webrick/webrick.cgi (do_GET): new endpoint to dump env [ruby-core:76511] [Bug #12610]