From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <e@80x24.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on dcvr.yhbt.net
X-Spam-Level: 
X-Spam-ASN: AS12876 163.172.0.0/16
X-Spam-Status: No, score=-1.9 required=3.0 tests=AWL,BAYES_00,
	RCVD_IN_MSPIKE_BL,RCVD_IN_MSPIKE_ZBI,RCVD_IN_XBL,SPF_FAIL,SPF_HELO_FAIL,
	TO_EQ_FM_DOM_SPF_FAIL shortcircuit=no autolearn=no autolearn_force=no
	version=3.4.0
Received: from 80x24.org (torrelay6.tomhek.net [163.172.38.175])
	by dcvr.yhbt.net (Postfix) with ESMTP id 6B271203E0
	for <spew@80x24.org>; Thu, 21 Jul 2016 21:49:56 +0000 (UTC)
From: Eric Wong <e@80x24.org>
To: spew@80x24.org
Subject: [PATCH] webrick: filter out HTTP_PROXY for CGIHandler
Date: Thu, 21 Jul 2016 21:49:47 +0000
Message-Id: <20160721214947.10986-1-e@80x24.org>
List-Id: <spew@80x24.org>

* lib/webrick/httpservlet/cgihandler.rb (do_GET): delete HTTP_PROXY
* test/webrick/test_cgi.rb (test_cgi_env): new test
* test/webrick/webrick.cgi (do_GET): new endpoint to dump env
---
 lib/webrick/httpservlet/cgihandler.rb |  1 -
 test/webrick/test_cgi.rb              | 14 ++++++++++++++
 test/webrick/webrick.cgi              |  4 +++-
 3 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/lib/webrick/httpservlet/cgihandler.rb b/lib/webrick/httpservlet/cgihandler.rb
index add0e44..ba6b0b6 100644
--- a/lib/webrick/httpservlet/cgihandler.rb
+++ b/lib/webrick/httpservlet/cgihandler.rb
@@ -53,7 +53,6 @@ def do_GET(req, res)
           meta["SCRIPT_FILENAME"] = @script_filename
           meta["PATH"] = @config[:CGIPathEnv]
           meta.delete("HTTP_PROXY")
-
           if /mswin|bccwin|mingw/ =~ RUBY_PLATFORM
             meta["SystemRoot"] = ENV["SystemRoot"]
           end
diff --git a/test/webrick/test_cgi.rb b/test/webrick/test_cgi.rb
index 9dd6be8..764c63f 100644
--- a/test/webrick/test_cgi.rb
+++ b/test/webrick/test_cgi.rb
@@ -114,6 +114,20 @@ def test_bad_request
     }
   end
 
+  def test_cgi_env
+    start_cgi_server do |server, addr, port, log|
+      http = Net::HTTP.new(addr, port)
+      req = Net::HTTP::Get.new("/webrick.cgi/dumpenv")
+      req['proxy'] = 'http://example.com/'
+      req['hello'] = 'world'
+      http.request(req) do |res|
+        env = Marshal.load(res.body)
+        assert_equal 'world', env['HTTP_HELLO']
+        assert_not_operator env, :include?, 'HTTP_PROXY'
+      end
+    end
+  end
+
   CtrlSeq = [0x7f, *(1..31)].pack("C*").gsub(/\s+/, '')
   CtrlPat = /#{Regexp.quote(CtrlSeq)}/o
   DumpPat = /#{Regexp.quote(CtrlSeq.dump[1...-1])}/o
diff --git a/test/webrick/webrick.cgi b/test/webrick/webrick.cgi
index 43c1af8..a294fa7 100644
--- a/test/webrick/webrick.cgi
+++ b/test/webrick/webrick.cgi
@@ -4,7 +4,9 @@ require "webrick/cgi"
 class TestApp < WEBrick::CGI
   def do_GET(req, res)
     res["content-type"] = "text/plain"
-    if (p = req.path_info) && p.length > 0
+    if req.path_info == "/dumpenv"
+      res.body = Marshal.dump(ENV.to_hash)
+    elsif (p = req.path_info) && p.length > 0
       res.body = p
     elsif (q = req.query).size > 0
       res.body = q.keys.sort.collect{|key|