On Fri, 17 Aug 2007, Junichi Uekawa wrote: > HTTP_PROXY, or http_proxy (and ftp_proxy) is used in many > applications within Debian. > > There is a well-known remote attack using HTTP_* variables can be > set to arbitrary values for CGI scripts, and thus there is a need > for protection against that.
Is there any reason why programs which use HTTP_PROXY can't check GATEWAY_INTERFACE, SERVER_NAME, REQUEST_METHOD or similar and ignore the capitalized env variable in such a case? [For reference, LWP ignores HTTP_PROXY for CGI_HTTP_PROXY in the presence of REQUEST_METHOD.] The alternative is just to require CGIs to unset HTTP_PROXY (though CGI writers sometimes aren't terribly aware of these things.) Don Armstrong -- "It's not Hollywood. War is real, war is primarily not about defeat or victory, it is about death. I've seen thousands and thousands of dead bodies. Do you think I want to have an academic debate on this subject?" -- Robert Fisk http://www.donarmstrong.com http://rzlab.ucr.edu -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
