Overview

File 1325-inets-3392-via-code-review-canonicalize-the-HTTP-var.patch of Package erlang

From 2324b79ca51cddef4f46daed9841a024edd2fdaf Mon Sep 17 00:00:00 2001
From: Marcel Lanz <marcellanz@n-1.ch>
Date: Mon, 5 Sep 2022 19:16:33 +0200
Subject: [PATCH 2/3] [inets/3392] via code-review; canonicalize the HTTP
 variable name as uppercase and skip any occurrence of PROXY.

---
 lib/inets/src/http_server/httpd_script_env.erl | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/lib/inets/src/http_server/httpd_script_env.erl b/lib/inets/src/http_server/httpd_script_env.erl
index 243857837c..0e6857dbf8 100644
--- a/lib/inets/src/http_server/httpd_script_env.erl
+++ b/lib/inets/src/http_server/httpd_script_env.erl
@@ -142,14 +142,16 @@ create_http_header_elements(ScriptType, [{Name, Value} | Headers], Acc, OtherAcc
                                        [{Name, Value} | OtherAcc])
     end.
 
-http_env_element(cgi, "proxy", _Value)  ->
-  %% CVE-2016-1000107 – https://github.com/erlang/otp/issues/3392
-  skipped;
-http_env_element(cgi, "PROXY", _Value)  ->
-  skipped;
-http_env_element(cgi, VarName0, Value)  ->
-    VarName = re:replace(VarName0,"-","_", [{return,list}, global]),
-    {"HTTP_"++ http_util:to_upper(VarName), Value};
+http_env_element(cgi, VarName0, Value) ->
+  case http_util:to_upper(VarName0) of
+    "PROXY" ->
+      %% CVE-2016-1000107 – https://github.com/erlang/otp/issues/3392
+      skipped;
+    VarName1 ->
+      VarNameUpper = re:replace(VarName1, "-", "_", [{return, list}, global]),
+      {"HTTP_" ++ VarNameUpper, Value}
+  end;
+
 http_env_element(esi, VarName0, Value)  ->
     list_to_existing_atom(VarName0),
     VarName = re:replace(VarName0,"-","_", [{return,list}, global]),
-- 
2.43.0
openSUSE Build Service is sponsored by
Places