https://hg.python.org/cpython/rev/a0ac52ed8f79
changeset: 102503:a0ac52ed8f79
branch: 3.5
parent: 102492:4cb94e561e2d
parent: 102502:3c19023c9fec
user: Senthil Kumaran <senthil(a)uthcode.com>
date: Sat Jul 30 23:39:06 2016 -0700
summary:
[merge from 3.4] - Prevent HTTPoxy attack (CVE-2016-1000110)
Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which
indicates that the script is in CGI mode.
Issue #27568 Reported and patch contributed by Rémi Rampin.
files:
Doc/howto/urllib2.rst | 5 +++++
Doc/library/urllib.request.rst | 15 +++++++++++++++
Lib/test/test_urllib.py | 12 ++++++++++++
Lib/urllib/request.py | 6 ++++++
Misc/NEWS | 4 ++++
5 files changed, 42 insertions(+), 0 deletions(-)
diff --git a/Doc/howto/urllib2.rst b/Doc/howto/urllib2.rst
--- a/Doc/howto/urllib2.rst
+++ b/Doc/howto/urllib2.rst
@@ -538,6 +538,11 @@
through a proxy. However, this can be enabled by extending urllib.request as
shown in the recipe [#]_.
+.. note::
+
+ ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set; see
+ the documentation on :func:`~urllib.request.getproxies`.
+
Sockets and Layers
==================
diff --git a/Doc/library/urllib.request.rst b/Doc/library/urllib.request.rst
--- a/Doc/library/urllib.request.rst
+++ b/Doc/library/urllib.request.rst
@@ -173,6 +173,16 @@
If both lowercase and uppercase environment variables exist (and disagree),
lowercase is preferred.
+ .. note::
+
+ If the environment variable ``REQUEST_METHOD`` is set, which usually
+ indicates your script is running in a CGI environment, the environment
+ variable ``HTTP_PROXY`` (uppercase ``_PROXY``) will be ignored. This is
+ because that variable can be injected by a client using the "Proxy:" HTTP
+ header. If you need to use an HTTP proxy in a CGI environment, either use
+ ``ProxyHandler`` explicitly, or make sure the variable name is in
+ lowercase (or at least the ``_proxy`` suffix).
+
The following classes are provided:
@@ -280,6 +290,11 @@
list of hostname suffixes, optionally with ``:port`` appended, for example
``cern.ch,ncsa.uiuc.edu,some.host:8080``.
+ .. note::
+
+ ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set;
+ see the documentation on :func:`~urllib.request.getproxies`.
+
.. class:: HTTPPasswordMgr()
diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
--- a/Lib/test/test_urllib.py
+++ b/Lib/test/test_urllib.py
@@ -232,6 +232,18 @@
self.assertTrue(urllib.request.proxy_bypass_environment('anotherdomain.com:8888'))
self.assertTrue(urllib.request.proxy_bypass_environment('newdomain.com:1234'))
+ def test_proxy_cgi_ignore(self):
+ try:
+ self.env.set('HTTP_PROXY', 'http://somewhere:3128')
+ proxies = urllib.request.getproxies_environment()
+ self.assertEqual('http://somewhere:3128', proxies['http'])
+ self.env.set('REQUEST_METHOD', 'GET')
+ proxies = urllib.request.getproxies_environment()
+ self.assertNotIn('http', proxies)
+ finally:
+ self.env.unset('REQUEST_METHOD')
+ self.env.unset('HTTP_PROXY')
+
def test_proxy_bypass_environment_host_match(self):
bypass = urllib.request.proxy_bypass_environment
self.env.set('NO_PROXY',
diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
--- a/Lib/urllib/request.py
+++ b/Lib/urllib/request.py
@@ -2412,6 +2412,12 @@
name = name.lower()
if value and name[-6:] == '_proxy':
proxies[name[:-6]] = value
+ # CVE-2016-1000110 - If we are running as CGI script, forget HTTP_PROXY
+ # (non-all-lowercase) as it may be set from the web server by a "Proxy:"
+ # header from the client
+ # If "proxy" is lowercase, it will still be used thanks to the next block
+ if 'REQUEST_METHOD' in os.environ:
+ proxies.pop('http', None)
for name, value in os.environ.items():
if name[-6:] == '_proxy':
name = name.lower()
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -34,6 +34,10 @@
Library
-------
+- Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the
+ HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates
+ that the script is in CGI mode.
+
- Issue #27130: In the "zlib" module, fix handling of large buffers
(typically 4 GiB) when compressing and decompressing. Previously, inputs
were limited to 4 GiB, and compression and decompression operations did not
--
Repository URL: https://hg.python.org/cpython
https://hg.python.org/cpython/rev/7062eaee3adf
changeset: 102504:7062eaee3adf
branch: 3.5
parent: 102499:095b424127e7
parent: 102503:a0ac52ed8f79
user: Senthil Kumaran <senthil(a)uthcode.com>
date: Sat Jul 30 23:48:19 2016 -0700
summary:
merge heads
files:
Doc/howto/urllib2.rst | 5 +++++
Doc/library/urllib.request.rst | 15 +++++++++++++++
Lib/test/test_urllib.py | 12 ++++++++++++
Lib/urllib/request.py | 6 ++++++
Misc/NEWS | 4 ++++
5 files changed, 42 insertions(+), 0 deletions(-)
diff --git a/Doc/howto/urllib2.rst b/Doc/howto/urllib2.rst
--- a/Doc/howto/urllib2.rst
+++ b/Doc/howto/urllib2.rst
@@ -538,6 +538,11 @@
through a proxy. However, this can be enabled by extending urllib.request as
shown in the recipe [#]_.
+.. note::
+
+ ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set; see
+ the documentation on :func:`~urllib.request.getproxies`.
+
Sockets and Layers
==================
diff --git a/Doc/library/urllib.request.rst b/Doc/library/urllib.request.rst
--- a/Doc/library/urllib.request.rst
+++ b/Doc/library/urllib.request.rst
@@ -173,6 +173,16 @@
If both lowercase and uppercase environment variables exist (and disagree),
lowercase is preferred.
+ .. note::
+
+ If the environment variable ``REQUEST_METHOD`` is set, which usually
+ indicates your script is running in a CGI environment, the environment
+ variable ``HTTP_PROXY`` (uppercase ``_PROXY``) will be ignored. This is
+ because that variable can be injected by a client using the "Proxy:" HTTP
+ header. If you need to use an HTTP proxy in a CGI environment, either use
+ ``ProxyHandler`` explicitly, or make sure the variable name is in
+ lowercase (or at least the ``_proxy`` suffix).
+
The following classes are provided:
@@ -280,6 +290,11 @@
list of hostname suffixes, optionally with ``:port`` appended, for example
``cern.ch,ncsa.uiuc.edu,some.host:8080``.
+ .. note::
+
+ ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set;
+ see the documentation on :func:`~urllib.request.getproxies`.
+
.. class:: HTTPPasswordMgr()
diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
--- a/Lib/test/test_urllib.py
+++ b/Lib/test/test_urllib.py
@@ -232,6 +232,18 @@
self.assertTrue(urllib.request.proxy_bypass_environment('anotherdomain.com:8888'))
self.assertTrue(urllib.request.proxy_bypass_environment('newdomain.com:1234'))
+ def test_proxy_cgi_ignore(self):
+ try:
+ self.env.set('HTTP_PROXY', 'http://somewhere:3128')
+ proxies = urllib.request.getproxies_environment()
+ self.assertEqual('http://somewhere:3128', proxies['http'])
+ self.env.set('REQUEST_METHOD', 'GET')
+ proxies = urllib.request.getproxies_environment()
+ self.assertNotIn('http', proxies)
+ finally:
+ self.env.unset('REQUEST_METHOD')
+ self.env.unset('HTTP_PROXY')
+
def test_proxy_bypass_environment_host_match(self):
bypass = urllib.request.proxy_bypass_environment
self.env.set('NO_PROXY',
diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
--- a/Lib/urllib/request.py
+++ b/Lib/urllib/request.py
@@ -2412,6 +2412,12 @@
name = name.lower()
if value and name[-6:] == '_proxy':
proxies[name[:-6]] = value
+ # CVE-2016-1000110 - If we are running as CGI script, forget HTTP_PROXY
+ # (non-all-lowercase) as it may be set from the web server by a "Proxy:"
+ # header from the client
+ # If "proxy" is lowercase, it will still be used thanks to the next block
+ if 'REQUEST_METHOD' in os.environ:
+ proxies.pop('http', None)
for name, value in os.environ.items():
if name[-6:] == '_proxy':
name = name.lower()
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -34,6 +34,10 @@
Library
-------
+- Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the
+ HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates
+ that the script is in CGI mode.
+
- Issue #27656: Do not assume sched.h defines any SCHED_* constants.
- Issue #27130: In the "zlib" module, fix handling of large buffers
--
Repository URL: https://hg.python.org/cpython
https://hg.python.org/cpython/rev/6c2e2de5ab8e
changeset: 102505:6c2e2de5ab8e
parent: 102500:64b763290da9
parent: 102504:7062eaee3adf
user: Senthil Kumaran <senthil(a)uthcode.com>
date: Sat Jul 30 23:51:13 2016 -0700
summary:
[merge from 3.5] - Prevent HTTPoxy attack (CVE-2016-1000110)
Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which
indicates that the script is in CGI mode.
Issue #27568 Reported and patch contributed by Rémi Rampin.
files:
Doc/howto/urllib2.rst | 5 +++++
Doc/library/urllib.request.rst | 15 +++++++++++++++
Lib/test/test_urllib.py | 12 ++++++++++++
Lib/urllib/request.py | 6 ++++++
Misc/ACKS | 1 +
Misc/NEWS | 4 ++++
6 files changed, 43 insertions(+), 0 deletions(-)
diff --git a/Doc/howto/urllib2.rst b/Doc/howto/urllib2.rst
--- a/Doc/howto/urllib2.rst
+++ b/Doc/howto/urllib2.rst
@@ -538,6 +538,11 @@
through a proxy. However, this can be enabled by extending urllib.request as
shown in the recipe [#]_.
+.. note::
+
+ ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set; see
+ the documentation on :func:`~urllib.request.getproxies`.
+
Sockets and Layers
==================
diff --git a/Doc/library/urllib.request.rst b/Doc/library/urllib.request.rst
--- a/Doc/library/urllib.request.rst
+++ b/Doc/library/urllib.request.rst
@@ -173,6 +173,16 @@
If both lowercase and uppercase environment variables exist (and disagree),
lowercase is preferred.
+ .. note::
+
+ If the environment variable ``REQUEST_METHOD`` is set, which usually
+ indicates your script is running in a CGI environment, the environment
+ variable ``HTTP_PROXY`` (uppercase ``_PROXY``) will be ignored. This is
+ because that variable can be injected by a client using the "Proxy:" HTTP
+ header. If you need to use an HTTP proxy in a CGI environment, either use
+ ``ProxyHandler`` explicitly, or make sure the variable name is in
+ lowercase (or at least the ``_proxy`` suffix).
+
The following classes are provided:
@@ -280,6 +290,11 @@
list of hostname suffixes, optionally with ``:port`` appended, for example
``cern.ch,ncsa.uiuc.edu,some.host:8080``.
+ .. note::
+
+ ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set;
+ see the documentation on :func:`~urllib.request.getproxies`.
+
.. class:: HTTPPasswordMgr()
diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
--- a/Lib/test/test_urllib.py
+++ b/Lib/test/test_urllib.py
@@ -232,6 +232,18 @@
self.assertTrue(urllib.request.proxy_bypass_environment('anotherdomain.com:8888'))
self.assertTrue(urllib.request.proxy_bypass_environment('newdomain.com:1234'))
+ def test_proxy_cgi_ignore(self):
+ try:
+ self.env.set('HTTP_PROXY', 'http://somewhere:3128')
+ proxies = urllib.request.getproxies_environment()
+ self.assertEqual('http://somewhere:3128', proxies['http'])
+ self.env.set('REQUEST_METHOD', 'GET')
+ proxies = urllib.request.getproxies_environment()
+ self.assertNotIn('http', proxies)
+ finally:
+ self.env.unset('REQUEST_METHOD')
+ self.env.unset('HTTP_PROXY')
+
def test_proxy_bypass_environment_host_match(self):
bypass = urllib.request.proxy_bypass_environment
self.env.set('NO_PROXY',
diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
--- a/Lib/urllib/request.py
+++ b/Lib/urllib/request.py
@@ -2477,6 +2477,12 @@
name = name.lower()
if value and name[-6:] == '_proxy':
proxies[name[:-6]] = value
+ # CVE-2016-1000110 - If we are running as CGI script, forget HTTP_PROXY
+ # (non-all-lowercase) as it may be set from the web server by a "Proxy:"
+ # header from the client
+ # If "proxy" is lowercase, it will still be used thanks to the next block
+ if 'REQUEST_METHOD' in os.environ:
+ proxies.pop('http', None)
for name, value in os.environ.items():
if name[-6:] == '_proxy':
name = name.lower()
diff --git a/Misc/ACKS b/Misc/ACKS
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -1204,6 +1204,7 @@
Jeff Ramnani
Varpu Rantala
Brodie Rao
+Rémi Rampin
Senko Rasic
Antti Rasinen
Nikolaus Rath
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -38,6 +38,10 @@
Library
-------
+- Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the
+ HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates
+ that the script is in CGI mode.
+
- Issue #7063: Remove dead code from the "array" module's slice handling.
Patch by Chuck.
--
Repository URL: https://hg.python.org/cpython
https://hg.python.org/cpython/rev/95b09ccc8a3e
changeset: 102501:95b09ccc8a3e
branch: 3.3
parent: 102340:1c06e02b968a
user: Senthil Kumaran <senthil(a)uthcode.com>
date: Sat Jul 30 23:24:16 2016 -0700
summary:
Prevent HTTPoxy attack (CVE-2016-1000110)
Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which
indicates that the script is in CGI mode.
Issue #27568 Reported and patch contributed by Rémi Rampin.
files:
Doc/howto/urllib2.rst | 5 +++++
Doc/library/urllib.request.rst | 13 +++++++++++++
Lib/test/test_urllib.py | 13 +++++++++++++
Lib/urllib/request.py | 7 +++++++
Misc/NEWS | 4 ++++
5 files changed, 42 insertions(+), 0 deletions(-)
diff --git a/Doc/howto/urllib2.rst b/Doc/howto/urllib2.rst
--- a/Doc/howto/urllib2.rst
+++ b/Doc/howto/urllib2.rst
@@ -538,6 +538,11 @@
through a proxy. However, this can be enabled by extending urllib.request as
shown in the recipe [#]_.
+.. note::
+
+ `HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set; see
+ the documentation on :func:`~urllib.request.getproxies`.
+
Sockets and Layers
==================
diff --git a/Doc/library/urllib.request.rst b/Doc/library/urllib.request.rst
--- a/Doc/library/urllib.request.rst
+++ b/Doc/library/urllib.request.rst
@@ -161,6 +161,14 @@
cannot find it, looks for proxy information from Mac OSX System
Configuration for Mac OS X and Windows Systems Registry for Windows.
+ .. note::
+
+ If the environment variable ``REQUEST_METHOD`` is set, which usually
+ indicates your script is running in a CGI environment, the environment
+ variable ``HTTP_PROXY`` (uppercase ``_PROXY``) will be ignored. This is
+ because that variable can be injected by a client using the "Proxy:" HTTP
+ header. If you need to use an HTTP proxy in a CGI environment use
+ ``ProxyHandler`` explicitly.
The following classes are provided:
@@ -265,6 +273,11 @@
To disable autodetected proxy pass an empty dictionary.
+ .. note::
+
+ ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set;
+ see the documentation on :func:`~urllib.request.getproxies`.
+
.. class:: HTTPPasswordMgr()
diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
--- a/Lib/test/test_urllib.py
+++ b/Lib/test/test_urllib.py
@@ -194,6 +194,19 @@
self.env.set('NO_PROXY', 'localhost, anotherdomain.com, newdomain.com')
self.assertTrue(urllib.request.proxy_bypass_environment('anotherdomain.com'))
+ def test_proxy_cgi_ignore(self):
+ try:
+ self.env.set('HTTP_PROXY', 'http://somewhere:3128')
+ proxies = urllib.request.getproxies_environment()
+ self.assertEqual('http://somewhere:3128', proxies['http'])
+ self.env.set('REQUEST_METHOD', 'GET')
+ proxies = urllib.request.getproxies_environment()
+ self.assertNotIn('http', proxies)
+ finally:
+ self.env.unset('REQUEST_METHOD')
+ self.env.unset('HTTP_PROXY')
+
+
class urlopen_HttpTests(unittest.TestCase, FakeHTTPMixin):
"""Test urlopen() opening a fake http connection."""
diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
--- a/Lib/urllib/request.py
+++ b/Lib/urllib/request.py
@@ -2366,6 +2366,13 @@
name = name.lower()
if value and name[-6:] == '_proxy':
proxies[name[:-6]] = value
+
+ # CVE-2016-1000110 - If we are running as CGI script, forget HTTP_PROXY
+ # (non-all-lowercase) as it may be set from the web server by a "Proxy:"
+ # header from the client
+ if 'REQUEST_METHOD' in os.environ:
+ proxies.pop('http', None)
+
return proxies
def proxy_bypass_environment(host):
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -29,6 +29,10 @@
Library
-------
+- Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the
+ HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates
+ that the script is in CGI mode.
+
- Issue #24521: Fix possible integer overflows in the pickle module.
- Issue #22931: Allow '[' and ']' in cookie values.
--
Repository URL: https://hg.python.org/cpython
https://hg.python.org/cpython/rev/3c19023c9fec
changeset: 102502:3c19023c9fec
branch: 3.4
parent: 102341:17ec4d58c046
parent: 102501:95b09ccc8a3e
user: Senthil Kumaran <senthil(a)uthcode.com>
date: Sat Jul 30 23:34:34 2016 -0700
summary:
[merge from 3.3] Prevent HTTPoxy attack (CVE-2016-1000110)
Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which
indicates that the script is in CGI mode.
Issue #27568 Reported and patch contributed by Rémi Rampin.
files:
Doc/howto/urllib2.rst | 5 +++++
Doc/library/urllib.request.rst | 13 +++++++++++++
Lib/test/test_urllib.py | 13 +++++++++++++
Lib/urllib/request.py | 7 +++++++
Misc/NEWS | 4 ++++
5 files changed, 42 insertions(+), 0 deletions(-)
diff --git a/Doc/howto/urllib2.rst b/Doc/howto/urllib2.rst
--- a/Doc/howto/urllib2.rst
+++ b/Doc/howto/urllib2.rst
@@ -538,6 +538,11 @@
through a proxy. However, this can be enabled by extending urllib.request as
shown in the recipe [#]_.
+.. note::
+
+ `HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set; see
+ the documentation on :func:`~urllib.request.getproxies`.
+
Sockets and Layers
==================
diff --git a/Doc/library/urllib.request.rst b/Doc/library/urllib.request.rst
--- a/Doc/library/urllib.request.rst
+++ b/Doc/library/urllib.request.rst
@@ -166,6 +166,14 @@
cannot find it, looks for proxy information from Mac OSX System
Configuration for Mac OS X and Windows Systems Registry for Windows.
+ .. note::
+
+ If the environment variable ``REQUEST_METHOD`` is set, which usually
+ indicates your script is running in a CGI environment, the environment
+ variable ``HTTP_PROXY`` (uppercase ``_PROXY``) will be ignored. This is
+ because that variable can be injected by a client using the "Proxy:" HTTP
+ header. If you need to use an HTTP proxy in a CGI environment use
+ ``ProxyHandler`` explicitly.
The following classes are provided:
@@ -268,6 +276,11 @@
To disable autodetected proxy pass an empty dictionary.
+ .. note::
+
+ ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set;
+ see the documentation on :func:`~urllib.request.getproxies`.
+
.. class:: HTTPPasswordMgr()
diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
--- a/Lib/test/test_urllib.py
+++ b/Lib/test/test_urllib.py
@@ -222,6 +222,19 @@
self.env.set('NO_PROXY', 'localhost, anotherdomain.com, newdomain.com')
self.assertTrue(urllib.request.proxy_bypass_environment('anotherdomain.com'))
+ def test_proxy_cgi_ignore(self):
+ try:
+ self.env.set('HTTP_PROXY', 'http://somewhere:3128')
+ proxies = urllib.request.getproxies_environment()
+ self.assertEqual('http://somewhere:3128', proxies['http'])
+ self.env.set('REQUEST_METHOD', 'GET')
+ proxies = urllib.request.getproxies_environment()
+ self.assertNotIn('http', proxies)
+ finally:
+ self.env.unset('REQUEST_METHOD')
+ self.env.unset('HTTP_PROXY')
+
+
class urlopen_HttpTests(unittest.TestCase, FakeHTTPMixin, FakeFTPMixin):
"""Test urlopen() opening a fake http connection."""
diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
--- a/Lib/urllib/request.py
+++ b/Lib/urllib/request.py
@@ -2337,6 +2337,13 @@
name = name.lower()
if value and name[-6:] == '_proxy':
proxies[name[:-6]] = value
+
+ # CVE-2016-1000110 - If we are running as CGI script, forget HTTP_PROXY
+ # (non-all-lowercase) as it may be set from the web server by a "Proxy:"
+ # header from the client
+ if 'REQUEST_METHOD' in os.environ:
+ proxies.pop('http', None)
+
return proxies
def proxy_bypass_environment(host):
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -13,6 +13,10 @@
Library
-------
+- Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the
+ HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates
+ that the script is in CGI mode.
+
Tests
-----
--
Repository URL: https://hg.python.org/cpython
https://hg.python.org/cpython/rev/313e8fdb0d0c
changeset: 102498:313e8fdb0d0c
user: Nick Coghlan <ncoghlan(a)gmail.com>
date: Sun Jul 31 12:42:49 2016 +1000
summary:
Issue 27366: PEP 487 docs updates
- Porting note for type keyword arg handling
- __init_subclass__ note regarding metaclass hint
files:
Doc/reference/datamodel.rst | 7 +++++++
Doc/whatsnew/3.6.rst | 9 +++++++++
2 files changed, 16 insertions(+), 0 deletions(-)
diff --git a/Doc/reference/datamodel.rst b/Doc/reference/datamodel.rst
--- a/Doc/reference/datamodel.rst
+++ b/Doc/reference/datamodel.rst
@@ -1672,6 +1672,13 @@
The default implementation ``object.__init_subclass__`` does
nothing, but raises an error if it is called with any arguments.
+ .. note::
+
+ The metaclass hint ``metaclass`` is consumed by the rest of the type
+ machinery, and is never passed to ``__init_subclass__`` implementations.
+ The actual metaclass (rather than the explicit hint) can be accessed as
+ ``type(cls)``.
+
.. versionadded:: 3.6
diff --git a/Doc/whatsnew/3.6.rst b/Doc/whatsnew/3.6.rst
--- a/Doc/whatsnew/3.6.rst
+++ b/Doc/whatsnew/3.6.rst
@@ -759,6 +759,15 @@
<keyword-only_parameter>`.
(Contributed by Serhiy Storchaka in :issue:`18726`.)
+* As part of :pep:`487`, the handling of keyword arguments passed to
+ :class:`type` (other than the metaclass hint, ``metaclass``) is now
+ consistently delegated to :meth:`object.__init_subclass__`. This means that
+ :meth:`type.__new__` and :meth:`type.__init__` both now accept arbitrary
+ keyword arguments, but :meth:`object.__init_subclass__` (which is called from
+ :meth:`type.__new__`) will reject them by default. Custom metaclasses
+ accepting additional keyword arguments will need to adjust their calls to
+ :meth:`type.__new__` (whether direct or via :class:`super`) accordingly.
+
Changes in the C API
--------------------
--
Repository URL: https://hg.python.org/cpython
https://hg.python.org/cpython/rev/ba915d561667
changeset: 102496:ba915d561667
branch: 2.7
parent: 102472:c8c1ea94379a
user: Senthil Kumaran <senthil(a)uthcode.com>
date: Sat Jul 30 05:49:53 2016 -0700
summary:
Prevent HTTPoxy attack (CVE-2016-1000110)
Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which
indicates that the script is in CGI mode.
Issue reported and patch contributed by Rémi Rampin.
files:
Doc/howto/urllib2.rst | 5 +++++
Doc/library/urllib.rst | 10 ++++++++++
Doc/library/urllib2.rst | 5 +++++
Lib/test/test_urllib.py | 12 ++++++++++++
Lib/urllib.py | 9 +++++++++
Misc/ACKS | 1 +
Misc/NEWS | 4 ++++
7 files changed, 46 insertions(+), 0 deletions(-)
diff --git a/Doc/howto/urllib2.rst b/Doc/howto/urllib2.rst
--- a/Doc/howto/urllib2.rst
+++ b/Doc/howto/urllib2.rst
@@ -525,6 +525,11 @@
through a proxy. However, this can be enabled by extending urllib2 as
shown in the recipe [#]_.
+.. note::
+
+ ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set; see
+ the documentation on :func:`~urllib.getproxies`.
+
Sockets and Layers
==================
diff --git a/Doc/library/urllib.rst b/Doc/library/urllib.rst
--- a/Doc/library/urllib.rst
+++ b/Doc/library/urllib.rst
@@ -295,6 +295,16 @@
If both lowercase and uppercase environment variables exist (and disagree),
lowercase is preferred.
+ .. note::
+
+ If the environment variable ``REQUEST_METHOD`` is set, which usually
+ indicates your script is running in a CGI environment, the environment
+ variable ``HTTP_PROXY`` (uppercase ``_PROXY``) will be ignored. This is
+ because that variable can be injected by a client using the "Proxy:"
+ HTTP header. If you need to use an HTTP proxy in a CGI environment,
+ either use ``ProxyHandler`` explicitly, or make sure the variable name
+ is in lowercase (or at least the ``_proxy`` suffix).
+
.. note::
urllib also exposes certain utility functions like splittype, splithost and
others parsing URL into various components. But it is recommended to use
diff --git a/Doc/library/urllib2.rst b/Doc/library/urllib2.rst
--- a/Doc/library/urllib2.rst
+++ b/Doc/library/urllib2.rst
@@ -229,6 +229,11 @@
To disable autodetected proxy pass an empty dictionary.
+ .. note::
+
+ ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set;
+ see the documentation on :func:`~urllib.getproxies`.
+
.. class:: HTTPPasswordMgr()
diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
--- a/Lib/test/test_urllib.py
+++ b/Lib/test/test_urllib.py
@@ -170,6 +170,18 @@
self.assertTrue(urllib.proxy_bypass_environment('anotherdomain.com:8888'))
self.assertTrue(urllib.proxy_bypass_environment('newdomain.com:1234'))
+ def test_proxy_cgi_ignore(self):
+ try:
+ self.env.set('HTTP_PROXY', 'http://somewhere:3128')
+ proxies = urllib.getproxies_environment()
+ self.assertEqual('http://somewhere:3128', proxies['http'])
+ self.env.set('REQUEST_METHOD', 'GET')
+ proxies = urllib.getproxies_environment()
+ self.assertNotIn('http', proxies)
+ finally:
+ self.env.unset('REQUEST_METHOD')
+ self.env.unset('HTTP_PROXY')
+
def test_proxy_bypass_environment_host_match(self):
bypass = urllib.proxy_bypass_environment
self.env.set('NO_PROXY',
diff --git a/Lib/urllib.py b/Lib/urllib.py
--- a/Lib/urllib.py
+++ b/Lib/urllib.py
@@ -1380,12 +1380,21 @@
If you need a different way, you can pass a proxies dictionary to the
[Fancy]URLopener constructor.
"""
+ # Get all variables
proxies = {}
for name, value in os.environ.items():
name = name.lower()
if value and name[-6:] == '_proxy':
proxies[name[:-6]] = value
+ # CVE-2016-1000110 - If we are running as CGI script, forget HTTP_PROXY
+ # (non-all-lowercase) as it may be set from the web server by a "Proxy:"
+ # header from the client
+ # If "proxy" is lowercase, it will still be used thanks to the next block
+ if 'REQUEST_METHOD' in os.environ:
+ proxies.pop('http', None)
+
+ # Get lowercase variables
for name, value in os.environ.items():
if name[-6:] == '_proxy':
name = name.lower()
diff --git a/Misc/ACKS b/Misc/ACKS
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -1123,6 +1123,7 @@
Jeff Ramnani
Varpu Rantala
Brodie Rao
+Rémi Rampin
Senko Rasic
Antti Rasinen
Nikolaus Rath
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -29,6 +29,10 @@
Library
-------
+- Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the
+ HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates
+ that the script is in CGI mode.
+
- Issue #27130: In the "zlib" module, fix handling of large buffers
(typically 2 or 4 GiB). Previously, inputs were limited to 2 GiB, and
compression and decompression operations did not properly handle results of
--
Repository URL: https://hg.python.org/cpython