Sophie: perl-CGI-Emulate-PSGI-0.200.0-5.1.mga5 src

perl-CGI-Emulate-PSGI-0.200.0-5.1.mga5.src.rpm

From f646c1f89d554f06bb303838a6176d79fd9a143e Mon Sep 17 00:00:00 2001
From: Masahiro Nagano <kazeburo@gmail.com>
Date: Tue, 19 Jul 2016 01:37:50 +0900
Subject: [PATCH 1/2] Do not set HTTP_PROXY env to prevent httproxy
 vulnerability

---
 lib/CGI/Emulate/PSGI.pm |  2 +-
 t/06_httproxy.t         | 36 ++++++++++++++++++++++++++++++++++++
 2 files changed, 37 insertions(+), 1 deletion(-)
 create mode 100644 t/06_httproxy.t

diff --git a/lib/CGI/Emulate/PSGI.pm b/lib/CGI/Emulate/PSGI.pm
index 5a0869a..b65cead 100644
--- a/lib/CGI/Emulate/PSGI.pm
+++ b/lib/CGI/Emulate/PSGI.pm
@@ -50,7 +50,7 @@ sub emulate_environment {
         REMOTE_HOST     => 'localhost',
         REMOTE_PORT     => int( rand(64000) + 1000 ),    # not in RFC 3875
         # REQUEST_URI     => $uri->path_query,                 # not in RFC 3875
-        ( map { $_ => $env->{$_} } grep !/^psgix?\./, keys %$env )
+        ( map { $_ => $env->{$_} } grep { $_ ne "HTTP_PROXY" } grep !/^psgix?\./, keys %$env )
     };
 
     return wantarray ? %$environment : $environment;
diff --git a/t/06_httproxy.t b/t/06_httproxy.t
new file mode 100644
index 0000000..07d486d
--- /dev/null
+++ b/t/06_httproxy.t
@@ -0,0 +1,36 @@
+use strict;
+use warnings;
+use CGI;
+use CGI::Emulate::PSGI;
+use Test::More;
+
+my $handler = CGI::Emulate::PSGI->handler(
+    sub {
+        ok ! exists $ENV{HTTP_PROXY};
+        print "Content-Type: text/html; charset=utf-8\r\n";
+        print "Content-Length: 4\r\n";
+        print "\r\n";
+        print "KTKR";
+    }
+);
+
+my $input = "";
+open my $in, '<', \$input;
+open my $errors, '>', \my $err;
+my $res = $handler->(
+    +{
+        'psgi.input'   => $in,
+        REMOTE_ADDR    => '192.168.1.1',
+        REQUEST_METHOD => 'GET',
+        HTTP_PROXY     => 'localhost:3128',
+        'psgi.errors'  => $errors,
+    }
+);
+
+
+is $res->[0], 200;
+my $headers = +{@{$res->[1]}};
+
+
+done_testing;
+

From 979cd44f849314e88729e4a826960f20e56557bc Mon Sep 17 00:00:00 2001
From: Masahiro Nagano <kazeburo@gmail.com>
Date: Tue, 19 Jul 2016 14:55:57 +0900
Subject: [PATCH 2/2] merge two grep

---
 lib/CGI/Emulate/PSGI.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/CGI/Emulate/PSGI.pm b/lib/CGI/Emulate/PSGI.pm
index b65cead..4bfaa00 100644
--- a/lib/CGI/Emulate/PSGI.pm
+++ b/lib/CGI/Emulate/PSGI.pm
@@ -50,7 +50,7 @@ sub emulate_environment {
         REMOTE_HOST     => 'localhost',
         REMOTE_PORT     => int( rand(64000) + 1000 ),    # not in RFC 3875
         # REQUEST_URI     => $uri->path_query,                 # not in RFC 3875
-        ( map { $_ => $env->{$_} } grep { $_ ne "HTTP_PROXY" } grep !/^psgix?\./, keys %$env )
+        ( map { $_ => $env->{$_} } grep { !/^psgix?\./ && $_ ne "HTTP_PROXY" } keys %$env )
     };
 
     return wantarray ? %$environment : $environment;