python · NewUserHa · Dec 9, 2024 · Dec 9, 2024 · Dec 9, 2024 · Dec 10, 2024
diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
@@ -1893,12 +1893,14 @@ def getproxies_environment():
             environment.append((name, value, proxy_name))
             if value:
                 proxies[proxy_name] = value
-    # CVE-2016-1000110 - If we are running as CGI script, forget HTTP_PROXY
-    # (non-all-lowercase) as it may be set from the web server by a "Proxy:"
-    # header from the client
-    # If "proxy" is lowercase, it will still be used thanks to the next block
+
+    # CVE-2016-1000110 - If we are running as CGI script (i.e. when "REQUEST_METHOD"
+    # environment varable is set), forget HTTP_PROXY (non-all-lowercase)
+    # as it may be set from the web server by a "Proxy:" header from the atacker client.
+    # The below code check and drop it before the second pass matches lowercase.
     if 'REQUEST_METHOD' in os.environ:
         proxies.pop('http', None)
+
     for name, value, proxy_name in environment:
         # not case-folded, checking here for lower-case env vars only
         if name[-6:] == '_proxy':
@@ -2126,7 +2128,7 @@ def getproxies():
         """
         return getproxies_environment() or getproxies_registry()
 
-    def proxy_bypass_registry(host):
+    def getproxy_bypass_registry():
         try:
             import winreg
         except ImportError:
@@ -2144,20 +2146,26 @@ def proxy_bypass_registry(host):
             return False
         if not proxyEnable or not proxyOverride:
             return False
-        return _proxy_bypass_winreg_override(host, proxyOverride)
 
-    def proxy_bypass(host):
+        return proxyOverride
+
+    def proxy_bypass_registry(host, proxy_override=None):
+        if proxy_override := proxy_override or getproxy_bypass_registry():
+            return _proxy_bypass_winreg_override(host, proxy_override)
+        return False
+
+    def proxy_bypass(host, env_proxies=None, proxy_override=None):
         """Return True, if host should be bypassed.
 
         Checks proxy settings gathered from the environment, if specified,
         or the registry.
 
         """
-        proxies = getproxies_environment()
-        if proxies:
+        if proxies := env_proxies or getproxies_environment():
             return proxy_bypass_environment(host, proxies)
         else:
-            return proxy_bypass_registry(host)
+            proxy_override = proxy_override or getproxy_bypass_registry()
+            return proxy_bypass_registry(host, proxy_override)
 
 else:
     # By default use environment variables

diff --git a/Misc/NEWS.d/next/Library/2026-06-12-02-00-00.gh-issue-127753.abcdef.rst b/Misc/NEWS.d/next/Library/2026-06-12-02-00-00.gh-issue-127753.abcdef.rst
@@ -0,0 +1 @@
+#