Do not use HTTP_PROXY (HTTP_*) to avoid vulnerabilities

[ko1nksm]

https://httpoxy.org/

A CGI application vulnerability (in 2016)
for PHP, Go, Python and others
httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict:

RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY
HTTP_PROXY is a popular environment variable used to configure an outgoing proxy
This leads to a remotely exploitable vulnerability. If you’re running PHP or CGI, you should block the Proxy header.

[tashian]

Thanks @ko1nksm. Looks like this is a server-side vulnerability. The CGI environment is out of scope for cli-guidelines. Being able to use an HTTP proxy as a client is still necessary in many environments, and CLI apps should consider supporting it.

[ko1nksm]

What you are saying makes sense, but the existing CLI apps only support lowercase http_proxy.

https://curl.se/docs/manpage.html

The environment variables can be specified in lower case or upper case. The lower case version has precedence. http_proxy is an exception as it is only available in lower case.

Using an environment variable to set the proxy has the same effect as using the -x, --proxy option.

http_proxy [protocol://][:port]

Sets the proxy server to use for HTTP.

HTTPS_PROXY [protocol://][:port]

Sets the proxy server to use for HTTPS.

https://www.gnu.org/software/wget/manual/wget.html#Proxies-1

Wget supports proxies for both HTTP and FTP retrievals. The standard way to specify proxy location, which Wget recognizes, is using the following environment variables:

http_proxy
https_proxy
If set, the http_proxy and https_proxy variables should contain the URLs of the proxies for HTTP and HTTPS connections respectively.