issue2550925 strip HTTP_PROXY environment variable

rouilj · rouilj · commit eaadb141c36d · 2019-10-13T17:45:06.000-04:00
if deployed as CGI and client sends an http PROXY header, the tainted HTTP_PROXY environment variable is created. It can affect calls using requests package or curl. A roundup admin would have to write detectors/extensions that use these mechanisms. Not exploitable in default config. See: https://httpoxy.org/
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -186,6 +186,12 @@ Fixed:
   by John Rouillard.
 - issue2551066: IMAP mail handling wasn't working and produced a
   traceback.
+- issue2550925 if deployed as CGI and client sends an http PROXY
+  header, the tainted HTTP_PROXY environment variable is created. It
+  can affect calls using requests package or curl. A roundup admin
+  would have to write detectors/extensions that use these mechanisms.
+  Not exploitable in default config. (John Rouillard)
+
 
 2018-07-13 1.6.0
 
diff --git a/roundup/cgi/client.py b/roundup/cgi/client.py
@@ -466,6 +466,14 @@ def setTranslator(self, translator=None):
     def main(self):
         """ Wrap the real main in a try/finally so we always close off the db.
         """
+
+        # strip HTTP_PROXY issue2550925 in case
+        # PROXY header is set.
+        if 'HTTP_PROXY' in self.env:
+            del(self.env['HTTP_PROXY'])
+        if 'HTTP_PROXY' in os.environ:
+            del(os.environ['HTTP_PROXY'])
+
         xmlrpc_enabled = self.instance.config.WEB_ENABLE_XMLRPC
         rest_enabled   = self.instance.config.WEB_ENABLE_REST
         try:
diff --git a/test/test_cgi.py b/test/test_cgi.py
@@ -830,6 +830,18 @@ def testXMLTemplate(self):
         out = pt.render(cl, 'issue', MockNull())
         self.assertEqual(out, '<?xml version="1.0" encoding="UTF-8"?><feed\n    xmlns="http://www.w3.org/2005/Atom"/>\n')
 
+    def testHttpProxyStrip(self):
+        os.environ['HTTP_PROXY'] = 'http://bad.news/here/'
+        cl = self.setupClient({ }, 'issue',
+                env_addon = {'HTTP_PROXY': 'http://bad.news/here/'})
+        out = []
+        def wh(s):
+            out.append(s)
+        cl.write_html = wh
+        cl.main()
+        self.assertFalse('HTTP_PROXY' in cl.env)
+        self.assertFalse('HTTP_PROXY' in os.environ)
+
     def testCsrfProtection(self):
         # need to set SENDMAILDEBUG to prevent
         # downstream issue when email is sent on successful
