From: Senthil Kumaran Date: Sun, 31 Jul 2016 06:51:13 +0000 (-0700) Subject: [merge from 3.5] - Prevent HTTPoxy attack (CVE-2016-1000110) X-Git-Tag: v3.6.0a4~85 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=cde03fa0381fcb7f7d3ba0dff4e784eade1f3031;p=python [merge from 3.5] - Prevent HTTPoxy attack (CVE-2016-1000110) Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates that the script is in CGI mode. Issue #27568 Reported and patch contributed by Rémi Rampin. --- cde03fa0381fcb7f7d3ba0dff4e784eade1f3031 diff --cc Misc/ACKS index b9af7265f9,150d37a3a3..926cdaedbb --- a/Misc/ACKS +++ b/Misc/ACKS @@@ -1204,6 -1191,6 +1204,7 @@@ Shorya Ra Jeff Ramnani Varpu Rantala Brodie Rao ++Rémi Rampin Senko Rasic Antti Rasinen Nikolaus Rath diff --cc Misc/NEWS index a6bc778d3a,ffd647113e..d265038510 --- a/Misc/NEWS +++ b/Misc/NEWS @@@ -38,9 -34,10 +38,13 @@@ Core and Builtin Library ------- + - Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the + HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates + that the script is in CGI mode. + +- Issue #7063: Remove dead code from the "array" module's slice handling. + Patch by Chuck. + - Issue #27656: Do not assume sched.h defines any SCHED_* constants. - Issue #27130: In the "zlib" module, fix handling of large buffers