[merge from 3.4] - Prevent HTTPoxy attack (CVE-2016-1000110)

Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates that the script is in CGI mode. Issue #27568 Reported and patch contributed by Rémi Rampin.
2025-11-02 03:01:58 +00:00 · 2016-07-30 23:39:06 -07:00 · 2016-07-30 23:39:06 -07:00 · 17742f2d45
commit 17742f2d45
parent 3a32bdfaa7 436fe5a447
5 changed files with 42 additions and 0 deletions
--- a/Doc/library/urllib.request.rst
+++ b/Doc/library/urllib.request.rst
@ -173,6 +173,16 @@ The :mod:`urllib.request` module defines the following functions:
   If both lowercase and uppercase environment variables exist (and disagree),
   lowercase is preferred.

+    .. note::
+
+       If the environment variable ``REQUEST_METHOD`` is set, which usually
+       indicates your script is running in a CGI environment, the environment
+       variable ``HTTP_PROXY`` (uppercase ``_PROXY``) will be ignored. This is
+       because that variable can be injected by a client using the "Proxy:" HTTP
+       header. If you need to use an HTTP proxy in a CGI environment, either use
+       ``ProxyHandler`` explicitly, or make sure the variable name is in
+       lowercase (or at least the ``_proxy`` suffix).
+

 The following classes are provided:

@ -280,6 +290,11 @@ The following classes are provided:
   list of hostname suffixes, optionally with ``:port`` appended, for example
   ``cern.ch,ncsa.uiuc.edu,some.host:8080``.

+    .. note::
+
+       ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set;
+       see the documentation on :func:`~urllib.request.getproxies`.
+

 .. class:: HTTPPasswordMgr()