Hi, I had a quick look at the code too (both in wheezy and jessie), but I couldn't find the offending bits. Perhaps it'd be good to put together a small web server and see what happens when you pass the 'Proxy' header.
Free On 5 August 2016 at 10:26, Brian May <b...@debian.org> wrote: > This security vulnerability is described here: > > https://bugzilla.redhat.com/show_bug.cgi?id=1357345 > > as: > > "sets environmental variable based on user supplied Proxy request > header" > > In particular it is talking about HTTP_PROXY, and it only a problem if > the server makes an outgoing HTTP request using this value. > > Looking at this, I am inclined to say this isn't a security issue in > twisted itself, rather some unspecified applications that use twisted. > > Just trying to double check this. I can't find any references > (case-insensitive) of "HTTP_PROXY" in the twisted source however. > > This appears to be confirmed by the first sentence in the redhat bug > report: > > "Many software projects and vendors have implemented support for the > “Proxy” request header in their respective CGI implementations and > languages by creating the “HTTP_PROXY” environmental variable based on > the header value." > > There are a number of projects in Debian that use twisted, should we > check each one? > > Sure would be good if I had an example application that was confirmed > vulnerable. > -- > Brian May <b...@debian.org> >
