On Thu, Aug 16, 2007 at 07:34:51PM -0700, Don Armstrong <[EMAIL PROTECTED]> wrote: > On Fri, 17 Aug 2007, Junichi Uekawa wrote: > > HTTP_PROXY, or http_proxy (and ftp_proxy) is used in many > > applications within Debian. > > > > There is a well-known remote attack using HTTP_* variables can be > > set to arbitrary values for CGI scripts, and thus there is a need > > for protection against that. > > Is there any reason why programs which use HTTP_PROXY can't check > GATEWAY_INTERFACE, SERVER_NAME, REQUEST_METHOD or similar and ignore > the capitalized env variable in such a case? > > [For reference, LWP ignores HTTP_PROXY for CGI_HTTP_PROXY in the > presence of REQUEST_METHOD.] > > The alternative is just to require CGIs to unset HTTP_PROXY (though > CGI writers sometimes aren't terribly aware of these things.)
I'm not sure this would also be a terribly good idea... How about CGIs that need to get data from external HTTP servers which they can't access if not through a proxy ? (such case *do* exist) Mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
