From ba2cc40d206618571ce6639cf9e17feff6205865 Mon Sep 17 00:00:00 2001
From: The MMGen Project <mmgen@tuta.io>
Date: Sun, 8 May 2022 10:07:17 +0000
Subject: [PATCH] rpc.py: disable proxy config from environment for `requests`
 backend

  The Requests library honors the *_PROXY environment variables by default
  (a dangerous and insecure policy in the opinion of the MMGen Project).
  Thus if the user had one of these variables set and explicitly requested the
  `requests` backend via the `--rpc-backend` option, JSON-RPC communications
  would have gone over the configured proxy.

  Only the `mmgen-xmrwallet` command uses `requests` as its default backend,
  so only it was affected by this vulnerability in the default configuration,
  i.e. without use of `--rpc-backend`.

  This patch sets `trust_env=False` to disable the dangerous behavior.
---
 mmgen/rpc.py                | 12 ++++++++++--
 test/unit_tests_d/ut_dep.py |  1 +
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/mmgen/rpc.py b/mmgen/rpc.py
index 545c1f56..37d9318a 100755
--- a/mmgen/rpc.py
+++ b/mmgen/rpc.py
@@ -108,7 +108,12 @@ class RPCBackends:
 			self.make_host_path = caller.make_host_path
 
 	class aiohttp(base):
-
+		"""
+		Contrary to the requests library, aiohttp won’t read environment variables by
+		default.  But you can do so by passing trust_env=True into aiohttp.ClientSession
+		constructor to honor HTTP_PROXY, HTTPS_PROXY, WS_PROXY or WSS_PROXY environment
+		variables (all are case insensitive).
+		"""
 		def __init__(self,caller):
 			super().__init__(caller)
 			self.session = g.session
@@ -138,6 +143,7 @@ class RPCBackends:
 			import requests,urllib3
 			urllib3.disable_warnings()
 			self.session = requests.Session()
+			self.session.trust_env = False # ignore *_PROXY environment vars
 			self.session.headers = caller.http_hdrs
 			if caller.auth_type:
 				auth = 'HTTP' + caller.auth_type.capitalize() + 'Auth'
@@ -158,7 +164,9 @@ class RPCBackends:
 			return (res.content,res.status_code)
 
 	class httplib(base):
-
+		"""
+		Ignores *_PROXY environment vars
+		"""
 		def __del__(self):
 			self.session.close()
 
diff --git a/test/unit_tests_d/ut_dep.py b/test/unit_tests_d/ut_dep.py
index 3d2d114f..449fa82e 100755
--- a/test/unit_tests_d/ut_dep.py
+++ b/test/unit_tests_d/ut_dep.py
@@ -39,6 +39,7 @@ class unit_tests:
 		import requests,urllib3
 		urllib3.disable_warnings()
 		session = requests.Session()
+		session.trust_env = False
 		session.proxies.update({'https':'socks5h://127.243.172.8:20677'})
 		try:
 			session.get('https://127.188.29.17')