Browse Source

rpc.py: disable proxy config from environment for `requests` backend

  The Requests library honors the *_PROXY environment variables by default
  (a dangerous and insecure policy in the opinion of the MMGen Project).
  Thus if the user had one of these variables set and explicitly requested the
  `requests` backend via the `--rpc-backend` option, JSON-RPC communications
  would have gone over the configured proxy.

  Only the `mmgen-xmrwallet` command uses `requests` as its default backend,
  so only it was affected by this vulnerability in the default configuration,
  i.e. without use of `--rpc-backend`.

  This patch sets `trust_env=False` to disable the dangerous behavior.
The MMGen Project 2 years ago
parent
commit
ba2cc40d
2 changed files with 11 additions and 2 deletions
  1. 10 2
      mmgen/rpc.py
  2. 1 0
      test/unit_tests_d/ut_dep.py

+ 10 - 2
mmgen/rpc.py

@@ -108,7 +108,12 @@ class RPCBackends:
 			self.make_host_path = caller.make_host_path
 
 	class aiohttp(base):
-
+		"""
+		Contrary to the requests library, aiohttp won’t read environment variables by
+		default.  But you can do so by passing trust_env=True into aiohttp.ClientSession
+		constructor to honor HTTP_PROXY, HTTPS_PROXY, WS_PROXY or WSS_PROXY environment
+		variables (all are case insensitive).
+		"""
 		def __init__(self,caller):
 			super().__init__(caller)
 			self.session = g.session
@@ -138,6 +143,7 @@ class RPCBackends:
 			import requests,urllib3
 			urllib3.disable_warnings()
 			self.session = requests.Session()
+			self.session.trust_env = False # ignore *_PROXY environment vars
 			self.session.headers = caller.http_hdrs
 			if caller.auth_type:
 				auth = 'HTTP' + caller.auth_type.capitalize() + 'Auth'
@@ -158,7 +164,9 @@ class RPCBackends:
 			return (res.content,res.status_code)
 
 	class httplib(base):
-
+		"""
+		Ignores *_PROXY environment vars
+		"""
 		def __del__(self):
 			self.session.close()
 

+ 1 - 0
test/unit_tests_d/ut_dep.py

@@ -39,6 +39,7 @@ class unit_tests:
 		import requests,urllib3
 		urllib3.disable_warnings()
 		session = requests.Session()
+		session.trust_env = False
 		session.proxies.update({'https':'socks5h://127.243.172.8:20677'})
 		try:
 			session.get('https://127.188.29.17')