Free Ekanayaka <fr...@debian.org> writes:
> I had a quick look at the code too (both in wheezy and jessie), but I
> couldn't find the offending bits. Perhaps it'd be good to put together a
> small web server and see what happens when you pass the 'Proxy'
> header.
So I created the following code:
=== cut ===
from twisted.internet import reactor
from twisted.web.server import Site
from twisted.web.resource import Resource
import time
import os
class ClockPage(Resource):
isLeaf = True
def render_GET(self, request):
print(os.environ)
return "<html><body>%s</body></html>" % (time.ctime(),)
resource = ClockPage()
factory = Site(resource)
reactor.listenTCP(8880, factory)
reactor.run()
=== cut ===
Then I attempted to run from wheezy. In particular, I used the following
command:
curl -H "Proxy: http://meow/"; http://localhost:8880/
I inspected the console output, but could not find any references to
meow or HTTP_PROXY:
{'TERM': 'xterm-256color', 'SHELL': '/bin/bash', 'SCHROOT_UID': '1000',
'SCHROOT_COMMAND': '-bash', 'SHLVL': '1', 'OLDPWD': '/root',
'SCHROOT_CHROOT_NAME': 'wheezy-amd64-default', 'PWD':
'/home/brian/tree/debian/debian-lts/wheezy/twisted/test', 'SCHROOT_SESSION_ID':
'wheezy-amd64-default-76337752-1661-47c2-b322-f2a73ff7314b', 'SCHROOT_USER':
'brian', 'USER': 'root', 'HOME': '/root', 'SCHROOT_GID': '1000', 'PATH':
'/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', 'LOGNAME':
'root', 'SCHROOT_GROUP': 'brian', 'SCHROOT_ALIAS_NAME': 'wheezy-amd64-default',
'_': '/usr/bin/python'}
I get similar results when testing on stretch. It looks like sid is the
same version 16.3.0-1.
I am inclined to say that no version of twisted, by itself, has this
vulnerability. However like I said earlier it is possible that
applications that use twisted have this vulnerability.
--
Brian May <b...@debian.org>
