From: nagachika00@...
Date: 2016-07-22T02:03:14+00:00
Subject: [ruby-core:76515] [Ruby trunk Bug#12610] webrick: protect from	httpoxy

Issue #12610 has been updated by Tomoyuki Chikanaga.


As noted in the article (https://httproxy.org/), Net::HTTP and URI::Generic.find_proxy has mitigation about this vulnerability.
The remaining issue was that when external programs was spawned in cgi handlers could be effected by HTTP_PROXY env. Is it right?

I don't have ssh key right now, I can commit it and backport at tonight.
How about the stable package releases?
Unfortunately I'm going to be offline this weekend. I can handle the release work on the next monday's night at the fastest.

----------------------------------------
Bug #12610: webrick: protect from httpoxy
https://bugs.ruby-lang.org/issues/12610#change-59758

* Author: Eric Wong
* Status: Open
* Priority: Normal
* Assignee: 
* ruby -v: 
* Backport: 2.1: REQUIRED, 2.2: REQUIRED, 2.3: REQUIRED
----------------------------------------
See problem documented at https://httpoxy.org/

Sorry my Internet connection is crap and I keep dropping.
Hope to commit within 24 hours.


---Files--------------------------------
0001-webrick-filter-out-HTTP_PROXY-for-CGIHandler.patch (2.46 KB)


-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>