Opened 5 years ago

Closed 5 years ago

Last modified 9 months ago

#7037 closed defect (fixed)

Unproxied http request

Reported by: buymebeer Owned by:
Priority: normal Milestone: 0.15
Component: None Version: hg
Severity: normal Keywords: proxy
Cc: ioerror Blocked By:
Blocking: OS: All

Description

Bug description

An unproxied call to urllib2.Request in ./src/htmltextview.py is made on line 500 in the HtmlHandler? class:

req = urllib2.Request(attrssrc?)

This can be used for all sorts of nasty shit. First of all the attrssrc? should be sanitized, but the urllib2 should also use the proxy context of the current account.

Steps to reproduce

Send an image with a url

Attachments (1)

pycurl.diff (4.7 KB) - added by asterix 5 years ago.

Download all attachments as: .zip

Change History (9)

comment:1 Changed 5 years ago by asterix

urllib2 doesn't support socks5 proxies, so I had to switch to pycurl. Could you test the attached patch with a proxy configured?

comment:2 Changed 5 years ago by ioerror

I'd like to suggest that using a SOCKS proxy with urllib2 is a better idea - something like this: https://github.com/ln5/twisted-socks

Using curl means that the client isn't pure python and that's part of the appeal with Gajim - I trust python code for parsing urls a lot more than C code.

It seems possible to set a SOCKS proxy with urllib2: http://stackoverflow.com/questions/2537726/using-urllib2-with-socks-proxy http://stackoverflow.com/questions/2317849/how-can-i-use-a-socks-4-5-proxy-with-urllib2

Anything that results in pure python seems like a better choice - it keeps the attack surface smaller.

comment:3 follow-up: Changed 5 years ago by asterix

socksipy doesn't support authentication with HTTP proxies, it's blocker: While you connect Gajim is blocked, and it's not maintained since 2006.

Could you try to use the attached patch and tell me if that works?

comment:4 in reply to: ↑ 3 Changed 5 years ago by ioerror

Replying to asterix:

socksipy doesn't support authentication with HTTP proxies, it's blocker: While you connect Gajim is blocked, and it's

Do you mean that a user might be behind an HTTP proxy and they need to connect to the SOCKS proxy after the HTTP proxy?

I'm not sure that this use case is very common?

not maintained since 2006.

It works and is finished, I believe.

Could you try to use the attached patch and tell me if that works?

Yes, I can try later today and report back.

Changed 5 years ago by asterix

comment:5 Changed 5 years ago by asterix

No, I don't talk about chained proxies, I only talk about a HTTP proxy that require authentication. socksipy doesn't support that.

Thanks to x11term tests I now have a working patch.

comment:6 Changed 5 years ago by Yann Leboulanger <asterix@…>

  • Resolution set to fixed
  • Status changed from new to closed

(In [72c8a3da7612]) use pycurl to download image in XHTML when a proxy is configured. Fixes #7037

comment:7 Changed 5 years ago by Yann Leboulanger <asterix@…>

(In [81deae25738c]) use pycurl to download image in XHTML when a proxy is configured. Fixes #7037

comment:8 Changed 9 months ago by Darlan

  • Keywords proxy added
Note: See TracTickets for help on using tickets.