Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cpython2 / 75d7b615ba70fc5759d16dee95bbd8f0474d8a9c^! / . / Misc
commit75d7b615ba70fc5759d16dee95bbd8f0474d8a9c[log] [tgz]
authorSenthil Kumaran <senthil@uthcode.com>Sat Jul 30 05:49:53 2016 -0700
committerSenthil Kumaran <senthil@uthcode.com>Sat Jul 30 05:49:53 2016 -0700
tree6fedc2530db2160bf68039a3bf28b4fefbb39743
parenta850ef698e55d07173051747e96207496c6f1bdb [diff]
Prevent HTTPoxy attack (CVE-2016-1000110)

Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which
indicates that the script is in CGI mode.

Issue reported and patch contributed by RĂ©mi Rampin.

diff --git a/Misc/ACKS b/Misc/ACKS
index 7aa8fc8..0210a4c 100644
--- a/Misc/ACKS
+++ b/Misc/ACKS

@@ -1123,6 +1123,7 @@
 Jeff Ramnani
 Varpu Rantala
 Brodie Rao
+Rémi Rampin
 Senko Rasic
 Antti Rasinen
 Nikolaus Rath

diff --git a/Misc/NEWS b/Misc/NEWS
index 06f10c9..a911bef 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS

@@ -29,6 +29,10 @@
 Library
 -------
 
+- Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the
+  HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates
+  that the script is in CGI mode.
+
 - Issue #27130: In the "zlib" module, fix handling of large buffers
   (typically 2 or 4 GiB).  Previously, inputs were limited to 2 GiB, and
   compression and decompression operations did not properly handle results of