On Mon, Jul 25, 2016 at 06:04:50PM +0300, Sergei Golovan wrote:
> Hi Moritz,
>
> On Mon, Jul 25, 2016 at 5:03 PM, Moritz Muehlenhoff <jmm at debian.org> wrote:
> > Source: yaws
> > Severity: normal
> > Tags: security
> >
> > http://seclists.org/oss-sec/2016/q3/95 claims that yaws sets
> > HTTP_PROXY based a passed Proxy: header. I don't see any
> > evidence for that in the source, but maybe I'm missing something?
>
> Actually, it does set HTTP_PROXY if the Proxy: header is passed to it.
> You can see in src/yaws.erl (lines 2537-2542 in 2.0.3) it collects all
> unknown headers to the "other" headers collection:
>
> %% auxiliary headers we don't have builtin support for
> {ok, X} ->
> ?Debug("OTHER header ~p~n", [X]),
> http_collect_headers(CliSock, Req,
> H#headers{other=[X|H#headers.other]},
> SSL, Count+1);
>
> And in src/yaws_cgi.erl (lines 370-373 in 2.0.3) it passes all the "other"
> headers to the CGI script environment (with HTTP_ prepended, so Proxy
> becomes HTTP_PROXY, the tohttp function does exaclty that):
>
> {"HTTP_COOKIE", flatten_val(make_cookie_val(H#headers.cookie))}
> ]++lists:map(fun({http_header,_,Var,_,Val})->{tohttp(Var),Val} end,
> H#headers.other)
> )) ++
>
> So, YAWS is vulnerable. How do you think we should fix this?
Oh, you're right I missed that code section!
> Appears that this bug is already fixed upstream (in VCS, not in any
> release yet):
>
> https://github.com/klacke/yaws/commit/9d8fb070e782c95821c90d0ca7372fc6d7316c78#diff-54053c47eb173a90c26ed19bd9d106c1
>
> I could take this patch and prepare the fixes for sid and jessie.
The impact is still fairly limited, so I think it's sufficient if
we fix this through the next jessie point release.
Cheers,
Moritz