mmgen/mmgen-wallet
1
0
Fork 0
Code Issues Pull requests Projects Releases 28 Packages Wiki Activity

rpc.py: disable proxy config from environment for requests backend

Browse source 
The Requests library honors the *_PROXY environment variables by default
  (a dangerous and insecure policy in the opinion of the MMGen Project).
  Thus if the user had one of these variables set and explicitly requested the
  `requests` backend via the `--rpc-backend` option, JSON-RPC communications
  would have gone over the configured proxy.

  Only the `mmgen-xmrwallet` command uses `requests` as its default backend,
  so only it was affected by this vulnerability in the default configuration,
  i.e. without use of `--rpc-backend`.

  This patch sets `trust_env=False` to disable the dangerous behavior.
This commit is contained in:
The MMGen Project 2022-05-08 10:07:17 +00:00
commit ba2cc40d20
Signed by: mmgen
GPG key ID: 3F8B1861E32B7DA2
2 changed files with 11 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

1
test/unit_tests_d/ut_dep.py
View file

@ -39,6 +39,7 @@ class unit_tests:
import requests,urllib3
urllib3.disable_warnings()
session = requests.Session()
session.trust_env = False
session.proxies.update({'https':'socks5h://127.243.172.8:20677'})
try:
session.get('https://127.188.29.17')