Overview

File 0988-inets-3392-Fix-for-CVE-2016-1000107.patch of Package erlang

From bbad31719fbe28b302a8b28b1eb8a796e832e22d Mon Sep 17 00:00:00 2001
From: Marcel Lanz <marcellanz@n-1.ch>
Date: Fri, 12 Aug 2022 18:30:01 +0200
Subject: [PATCH 1/3] [inets/3392] Fix for CVE-2016-1000107.

---
 lib/inets/src/http_server/httpd_script_env.erl | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/lib/inets/src/http_server/httpd_script_env.erl b/lib/inets/src/http_server/httpd_script_env.erl
index 1a58db9513..243857837c 100644
--- a/lib/inets/src/http_server/httpd_script_env.erl
+++ b/lib/inets/src/http_server/httpd_script_env.erl
@@ -131,6 +131,8 @@ create_http_header_elements(ScriptType, [{Name, [Value | _] = Values } |
 create_http_header_elements(ScriptType, [{Name, Value} | Headers], Acc, OtherAcc) 
   when is_list(Value) ->
     try http_env_element(ScriptType, Name, Value) of
+        skipped ->
+            create_http_header_elements(ScriptType, Headers, Acc, [OtherAcc]);
         Element ->
             create_http_header_elements(ScriptType, Headers, [Element | Acc],
                                        OtherAcc)
@@ -140,6 +142,11 @@ create_http_header_elements(ScriptType, [{Name, Value} | Headers], Acc, OtherAcc
                                        [{Name, Value} | OtherAcc])
     end.
 
+http_env_element(cgi, "proxy", _Value)  ->
+  %% CVE-2016-1000107 – https://github.com/erlang/otp/issues/3392
+  skipped;
+http_env_element(cgi, "PROXY", _Value)  ->
+  skipped;
 http_env_element(cgi, VarName0, Value)  ->
     VarName = re:replace(VarName0,"-","_", [{return,list}, global]),
     {"HTTP_"++ http_util:to_upper(VarName), Value};
-- 
2.43.0
openSUSE Build Service is sponsored by
Places