File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -1893,12 +1893,14 @@ def getproxies_environment():
18931893 environment .append ((name , value , proxy_name ))
18941894 if value :
18951895 proxies [proxy_name ] = value
1896- # CVE-2016-1000110 - If we are running as CGI script, forget HTTP_PROXY
1897- # (non-all-lowercase) as it may be set from the web server by a "Proxy:"
1898- # header from the client.
1899- # The below check it and only accepts the lowercase "_proxy"
1896+
1897+ # CVE-2016-1000110 - If we are running as CGI script (i.e. when "REQUEST_METHOD"
1898+ # environment varable is set), forget HTTP_PROXY (non-all-lowercase)
1899+ # as it may be set from the web server by a "Proxy:" header from the atacker client.
1900+ # The below code check and drop it before the second pass matches lowercase.
19001901 if 'REQUEST_METHOD' in os .environ :
19011902 proxies .pop ('http' , None )
1903+
19021904 for name , value , proxy_name in environment :
19031905 # not case-folded, checking here for lower-case env vars only
19041906 if name [- 6 :] == '_proxy' :
You can’t perform that action at this time.
0 commit comments