From f646c1f89d554f06bb303838a6176d79fd9a143e Mon Sep 17 00:00:00 2001 From: Masahiro Nagano <kazeburo@gmail.com> Date: Tue, 19 Jul 2016 01:37:50 +0900 Subject: [PATCH 1/2] Do not set HTTP_PROXY env to prevent httproxy vulnerability --- lib/CGI/Emulate/PSGI.pm | 2 +- t/06_httproxy.t | 36 ++++++++++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 t/06_httproxy.t diff --git a/lib/CGI/Emulate/PSGI.pm b/lib/CGI/Emulate/PSGI.pm index 5a0869a..b65cead 100644 --- a/lib/CGI/Emulate/PSGI.pm +++ b/lib/CGI/Emulate/PSGI.pm @@ -50,7 +50,7 @@ sub emulate_environment { REMOTE_HOST => 'localhost', REMOTE_PORT => int( rand(64000) + 1000 ), # not in RFC 3875 # REQUEST_URI => $uri->path_query, # not in RFC 3875 - ( map { $_ => $env->{$_} } grep !/^psgix?\./, keys %$env ) + ( map { $_ => $env->{$_} } grep { $_ ne "HTTP_PROXY" } grep !/^psgix?\./, keys %$env ) }; return wantarray ? %$environment : $environment; diff --git a/t/06_httproxy.t b/t/06_httproxy.t new file mode 100644 index 0000000..07d486d --- /dev/null +++ b/t/06_httproxy.t @@ -0,0 +1,36 @@ +use strict; +use warnings; +use CGI; +use CGI::Emulate::PSGI; +use Test::More; + +my $handler = CGI::Emulate::PSGI->handler( + sub { + ok ! exists $ENV{HTTP_PROXY}; + print "Content-Type: text/html; charset=utf-8\r\n"; + print "Content-Length: 4\r\n"; + print "\r\n"; + print "KTKR"; + } +); + +my $input = ""; +open my $in, '<', \$input; +open my $errors, '>', \my $err; +my $res = $handler->( + +{ + 'psgi.input' => $in, + REMOTE_ADDR => '192.168.1.1', + REQUEST_METHOD => 'GET', + HTTP_PROXY => 'localhost:3128', + 'psgi.errors' => $errors, + } +); + + +is $res->[0], 200; +my $headers = +{@{$res->[1]}}; + + +done_testing; + From 979cd44f849314e88729e4a826960f20e56557bc Mon Sep 17 00:00:00 2001 From: Masahiro Nagano <kazeburo@gmail.com> Date: Tue, 19 Jul 2016 14:55:57 +0900 Subject: [PATCH 2/2] merge two grep --- lib/CGI/Emulate/PSGI.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/CGI/Emulate/PSGI.pm b/lib/CGI/Emulate/PSGI.pm index b65cead..4bfaa00 100644 --- a/lib/CGI/Emulate/PSGI.pm +++ b/lib/CGI/Emulate/PSGI.pm @@ -50,7 +50,7 @@ sub emulate_environment { REMOTE_HOST => 'localhost', REMOTE_PORT => int( rand(64000) + 1000 ), # not in RFC 3875 # REQUEST_URI => $uri->path_query, # not in RFC 3875 - ( map { $_ => $env->{$_} } grep { $_ ne "HTTP_PROXY" } grep !/^psgix?\./, keys %$env ) + ( map { $_ => $env->{$_} } grep { !/^psgix?\./ && $_ ne "HTTP_PROXY" } keys %$env ) }; return wantarray ? %$environment : $environment;