https://bugzilla.redhat.com/show_bug.cgi?id=1353798
--- Doc Text *updated* by Summer Long <slong(a)redhat.com> ---
An input-validation flaw was discovered in the Go programming language built in CGI
implementation, which set the environment variable "HTTP_PROXY" using the
incoming "Proxy" HTTP-request header. The environment variable
"HTTP_PROXY" is used by numerous web clients, including Go's net/http
package, to specify a proxy server to use for HTTP and, in some cases, HTTPS requests.
This meant that when a CGI-based web application ran, an attacker could specify a proxy
server which the application then used for subsequent outgoing requests, allowing a
man-in-the-middle attack.
--
You are receiving this mail because:
You are on the CC list for the bug.