Project

General

Profile

Actions
Copy link

Bug #12610

closed

webrick: protect from httpoxy

Bug #12610: webrick: protect from httpoxy

Added by normalperson (Eric Wong) almost 10 years ago. Updated almost 10 years ago.

Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
Backport:
2.1: REQUIRED, 2.2: DONE, 2.3: DONE
[ruby-core:76511]

Description

See problem documented at https://httpoxy.org/

Sorry my Internet connection is crap and I keep dropping.
Hope to commit within 24 hours.

Files

0001-webrick-filter-out-HTTP_PROXY-for-CGIHandler.patch (2.46 KB) 0001-webrick-filter-out-HTTP_PROXY-for-CGIHandler.patch normalperson (Eric Wong), 07/21/2016 09:59 PM

Updated by nagachika (Tomoyuki Chikanaga) almost 10 years ago Actions
Copy link
 #1 [ruby-core:76515]

As noted in the article (https://httproxy.org/), Net::HTTP and URI::Generic.find_proxy has mitigation about this vulnerability.
The remaining issue was that when external programs was spawned in cgi handlers could be effected by HTTP_PROXY env. Is it right?

I don't have ssh key right now, I can commit it and backport at tonight.
How about the stable package releases?
Unfortunately I'm going to be offline this weekend. I can handle the release work on the next monday's night at the fastest.

Updated by darix (Marcus Rückert) almost 10 years ago Actions
Copy link
 #2 [ruby-core:76516]

On 2016-07-22 02:03:14 +0000, wrote:

0001-webrick-filter-out-HTTP_PROXY-for-CGIHandler.patch (2.46 KB)

the /dumpenv chunk from the patch looks like left over debug code

--
openSUSE - SUSE Linux is my linux
openSUSE is good for you
www.opensuse.org

Updated by usa (Usaku NAKAMURA) almost 10 years ago Actions
Copy link
 #3 [ruby-core:76518]

Marcus Rückert wrote:

the /dumpenv chunk from the patch looks like left over debug code

It's not debug code. It's the test for verification.

Updated by Anonymous almost 10 years ago Actions
Copy link
 #4

  • Status changed from Open to Closed

Applied in changeset r55731.

webrick: filter out HTTP_PROXY for CGIHandler

  • lib/webrick/httpservlet/cgihandler.rb (do_GET): delete HTTP_PROXY
  • test/webrick/test_cgi.rb (test_cgi_env): new test
  • test/webrick/webrick.cgi (do_GET): new endpoint to dump env
    [ruby-core:76511] [Bug #12610]

Updated by normalperson (Eric Wong) almost 10 years ago Actions
Copy link
 #5 [ruby-core:76530]

Marcus Rueckert wrote:

On 2016-07-22 02:03:14 +0000, wrote:

0001-webrick-filter-out-HTTP_PROXY-for-CGIHandler.patch (2.46 KB)

the /dumpenv chunk from the patch looks like left over debug code

Nope, it's part of the test case as usa said.

Committed as r55731

Updated by nagachika (Tomoyuki Chikanaga) almost 10 years ago Actions
Copy link
 #6 [ruby-core:76643]

  • Backport changed from 2.1: REQUIRED, 2.2: REQUIRED, 2.3: REQUIRED to 2.1: REQUIRED, 2.2: REQUIRED, 2.3: DONE

ruby_2_3 r55791 merged revision(s) 55731.

Updated by usa (Usaku NAKAMURA) almost 10 years ago Actions
Copy link
 #7 [ruby-core:76910]

  • Backport changed from 2.1: REQUIRED, 2.2: REQUIRED, 2.3: DONE to 2.1: REQUIRED, 2.2: DONE, 2.3: DONE

ruby_2_2 r55923 merged revision(s) 55731.

Actions
Copy link

Also available in: PDF Atom