As the site mentions, the PHP vulnerabilities are with specific libraries (Guzzle 4+ and Artax are mentioned), not the curl library that comes with PHP that most sites are probably using. PHP’s curl library requires explicit setup to use a proxy by setting CURLOPT_PROXY.

Perl (well, LWP) fixed this back in March 2001:

http://www.nntp.perl.org/group/perl.libwww/2001/03/msg2249.html

Way to go!

On Windows, environment variables are case insensitive, so you shouldn’t use GetEnvironmentVariable but instead use the standard C environ global or GetEnvironmentStrings and parse the result manually. Cygwin is not affected by this problem.

I believe the biggest problem is thinking that configuration and interprocess communication were somehow related since they both are a “bag of properties”. I mitigate this in my own designs by using lower-case environment variables for my own configuration – it “looks weird” to people, and occasionally I see other programmers send me patches that “fix” the case of my variables, but then I point out that my implementation of http_proxy was always immune to this attack, back in the 1990s.

Ruby is not at risk http://ruby-doc.org/stdlib-2.3.1/libdoc/uri/rdoc/URI/Generic.html#method-i-find_proxy