-
-
Notifications
You must be signed in to change notification settings - Fork 9.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTPoxy migitation #3422
Comments
We've been discussing this at length in IRC. We have a complex set of opinions here, but here they are:
I am willing to consider the possibility of raising warnings when running Requests inside a CGI process with |
Makes sense to me. Avoiding HTTP_PROXY (uppercase) in a CGI context would probably be a good move, but if requests is not doing that directly there is probably no sense in you taking active measures. I myself only ever use wsgi. I'm gonna go ahead and close this. |
@remram44 For what it's worth, I would heartily support a patch to the stdlib's |
I filed cpython-27568. |
https://httpoxy.org/
It is possible to set the
HTTP_PROXY
in CGI scripts by passing theProxy
header. If the script uses requests to download files, requests will happily use the attacker-supplied proxy to make requests.This should be mitigated like it is in Perl (since 2001), Ruby, and libraries like curl.
I confirmed that
HTTP_PROXY
(in uppercase) is accepted as well as the conventional, lowercasehttp_proxy
(requests 2.7.0)The text was updated successfully, but these errors were encountered: