ded/cpp-httplib
1
0
Fork 0
mirror of https://github.com/yhirose/cpp-httplib.git synced 2026-06-11 09:07:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

Drop set_proxy_from_env per #2446 discussion

Browse Source 
Per @unterwegi's feedback in #2446, environment variable handling
conflicts with cpp-httplib's long-standing policy of explicit
configuration (e.g. set_ca_cert_path requires explicit paths instead
of reading SSL_CERT_FILE / SSL_CERT_DIR). The NO_PROXY matching logic
is the genuinely tricky part worth keeping in the library; getenv
parsing is trivial and is left to the caller.

- Remove Client::set_proxy_from_env, ClientImpl::set_proxy_from_env,
  and ClientImpl::apply_proxy_url
- Remove ScopedEnv test helper and env-driven NoProxyTest cases
- Replace the "Read proxy settings from the environment" docs with a
  short snippet showing how to parse no_proxy and feed set_no_proxy()
- Keep set_no_proxy() and all NO_PROXY pattern matching intact
This commit is contained in:
yhirose
2026-05-24 21:17:37 -04:00
parent b66fe35868
commit f302e15228
5 changed files with 40 additions and 294 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
README.md
View File

@@ -1218,38 +1218,30 @@ Limitations:
- `set_no_proxy` replaces any previously configured list; there is no
append API.
#### Read proxy settings from the environment
`set_proxy_from_env` configures the client from proxy-related
environment variables.
cpp-httplib does **not** read `HTTP_PROXY` / `HTTPS_PROXY` / `NO_PROXY`
itself — this is consistent with `set_ca_cert_path()` and the rest of
the configuration API. If you want that behavior, parse the variables
in your application and pass the bypass patterns to `set_no_proxy()`:
```cpp
httplib::Client cli("https://api.example.com");
cli.set_proxy_from_env();
if (auto *v = std::getenv("no_proxy"); v && *v) {
std::vector<std::string> patterns;
std::stringstream ss(v);
for (std::string item; std::getline(ss, item, ',');) {
// trim whitespace as needed
if (!item.empty()) { patterns.push_back(std::move(item)); }
}
cli.set_no_proxy(patterns);
}
```
Variables read:
- `https_proxy` / `HTTPS_PROXY` — used by HTTPS clients (`SSLClient`)
- `http_proxy` (lowercase only — see security note below) — used by HTTP clients
- `no_proxy` / `NO_PROXY` — comma-separated list of bypass patterns
Returns `true` if at least one variable was found and applied.
> [!IMPORTANT]
> The uppercase `HTTP_PROXY` is intentionally ignored to mitigate the
> "httpoxy" class of bugs ([CVE-2016-5385](https://httpoxy.org/)). In
> CGI / FastCGI environments the variable name collides with the
> `HTTP_*` namespace used to expose request headers, allowing a remote
> attacker to set the proxy URL via the `Proxy:` request header.
> cpp-httplib follows curl, Go, and Python `requests` in honoring only
> the lowercase `http_proxy`. `HTTPS_PROXY` and `NO_PROXY` are safe in
> either case because their names do not begin with `HTTP_`.
> [!NOTE]
> `set_proxy_from_env` reads `getenv` synchronously. Call it once at
> startup before issuing any requests; concurrent `setenv` from other
> threads is undefined.
> If you also read `HTTP_PROXY` from the environment, prefer the
> lowercase `http_proxy` only. The uppercase form is poisoned in
> CGI / FastCGI environments by the `Proxy:` request header
> ([CVE-2016-5385 / "httpoxy"](https://httpoxy.org/)). `HTTPS_PROXY`
> and `NO_PROXY` are safe in either case because their names do not
> begin with `HTTP_`.
### Range