Issue #6546 has been updated by akr (Akira Tanaka).


net.http.proxy_from_env.2.no_env_by_default.patch seems have following line.

  env_proxy = ENV['http_proxy'] || ENV['HTTP_PROXY']

It may refer the environment variable set by Proxy: header sent from client in CGI.

I think it is vulnerable, as I said in [ruby-core:45579].

As far as I know, this issue is found for libwww-perl in 2001.

http://cpansearch.perl.org/src/GAAS/libwww-perl-6.04/Changes :
|2001-03-14   Gisle Aas <gisle / ActiveState.com>
|
|    Release 5.51
|
|    SECURITY FIX: If LWP::UserAgent::env_proxy is called in a CGI
|    environment, the case-insensitivity when looking for "http_proxy"
|    permits "HTTP_PROXY" to be found, but this can be trivially set by the
|    web client using the "Proxy:" header.  The fix applied is that
|    $ENV{HTTP_PROXY} is not longer honored for CGI scripts.
|    The CGI_HTTP_PROXY environment variable can be used instead.
|    Problem reported by Randal L. Schwartz.

----------------------------------------
Feature #6546: Net::HTTP to check for HTTP_PROXY environment setting.
https://bugs.ruby-lang.org/issues/6546#change-27204

Author: dekz (Jacob Evans)
Status: Assigned
Priority: Normal
Assignee: drbrain (Eric Hodel)
Category: lib
Target version: 2.0.0


@nahi suggested I request the OS environment HTTP_PROXY be honoured.

Open-uri checks for this environment setting and acts according whereas Net::HTTP does not. Not having Net::HTTP check for this condition sets precedence and stops the implementation of other environment settings (such as JRuby and JVM -Dhttp.proxyHost). 

Having this functionality will greatly enable testing with proxies rather then monkey patching or rewriting to always use HTTP.Proxy.


-- 
http://bugs.ruby-lang.org/