Bug#1063342: marked as done (libcurl now rejects HTTP/1.0 responses to HEAD containing body)

Tue, 06 Feb 2024 14:39:17 -0800 

Your message dated Tue, 06 Feb 2024 22:35:05 +0000
with message-id <[email protected]>
and subject line Bug#1063342: fixed in curl 8.6.0-2
has caused the Debian Bug report #1063342,
regarding libcurl now rejects HTTP/1.0 responses to HEAD containing body
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1063342: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063342
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: libcurl3-gnutls
Version: 8.6.0-1

tl;dr: I found a regression in bug-compatibility but I have no idea if
       it should be considered a problem.

Hi.

I investigated the failing dgit autopkgtest, which is (at leasat one
of the reasons) preventing src:curl from migrating.

I found that the root cause was that dgit's test suite has a stunt
http server which mishandles HTTP HEAD requests: it doesn't look at
the request method at all, so it responds to HEAD the same as GET,
with a body.  So that is wrong.

The new libcurl rejects this, with a "Weird server reply" error.

I have filed the bug in the test case's stunt httpd as #1063341 (with
severity serious) and we will fix it in src:dgit soon.

However, I wonder whether this behavioural change in curl is
intentional or desirable.  It seems to me that it might pose a
compatibility hazard.  I know that compatibility, even with broken
peers, is often important in the web space.

I haven't tested the behaviour with HTTP/1.1.  HTTP/1.1 has different
framing arrangements: depending on the framing, a similar bug in a
server would result in a framing error so such a buggy server wouldn't
survive.  But with HTTP/1.0, a response which erroneously includes the
body is unambiguous and parseable.

I don't know if HTTP/1.0 is common enough, and compatibility with such
buggy HTTP servers important enough, to be concerned.  I thought I
would file this bug to inform you about the situation and let you
decide.  I hope you find that helpful.

Please downgrade, close, or forward to upstream, or upgrade, this bug,
as seems appropriate.

Thanks for your attention and your maintenance of this critical
package.

Regards,
Ian.

30178 read(7, "H", 1)                   = 1
 | 00000  48                                                H                |
30178 read(7, "E", 1)                   = 1
 | 00000  45                                                E                |
30178 read(7, "A", 1)                   = 1
 | 00000  41                                                A                |
30178 read(7, "D", 1)                   = 1
 | 00000  44                                                D                |
30178 read(7, " ", 1)                   = 1
 | 00000  20                                                                 |
30178 read(7, "/", 1)                   = 1
 | 00000  2f                                                /                |
30178 read(7, "p", 1)                   = 1
 | 00000  70                                                p                |
...
30178 write(7, "HTTP/1.0 404 Not found\r\nContent-Type: text/html; 
charset=ISO-8859-1\r\n\r\n<!DOCTYPE html\n\tPUBLIC \"-//W3C//DTD XHTML 1.0 
Transitional//EN\"\n\t 
\"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\";>\n<html 
xmlns=\"http://www.w3.org/1999/xhtml\"; lang=\"en-US\" 
xml:lang=\"en-US\">\n<head>\n<title>Not found</title>\n<meta 
http-equiv=\"Content-Type\" content=\"text/html; charset=iso-8859-1\" 
/>\n</head>\n<body>\n<h1>Not found</h1>\n</body>\n</html>", 426) = 426
 | 00000  48 54 54 50 2f 31 2e 30  20 34 30 34 20 4e 6f 74  HTTP/1.0 404 Not |
 | 00010  20 66 6f 75 6e 64 0d 0a  43 6f 6e 74 65 6e 74 2d   found..Content- |
 | 00020  54 79 70 65 3a 20 74 65  78 74 2f 68 74 6d 6c 3b  Type: text/html; |
 | 00030  20 63 68 61 72 73 65 74  3d 49 53 4f 2d 38 38 35   charset=ISO-885 |
 | 00040  39 2d 31 0d 0a 0d 0a 3c  21 44 4f 43 54 59 50 45  9-1....<!DOCTYPE |
 | 00050  20 68 74 6d 6c 0a 09 50  55 42 4c 49 43 20 22 2d   html..PUBLIC "- |
 | 00060  2f 2f 57 33 43 2f 2f 44  54 44 20 58 48 54 4d 4c  //W3C//DTD XHTML |
 | 00070  20 31 2e 30 20 54 72 61  6e 73 69 74 69 6f 6e 61   1.0 Transitiona |
 | 00080  6c 2f 2f 45 4e 22 0a 09  20 22 68 74 74 70 3a 2f  l//EN".. "http:/ |
 | 00090  2f 77 77 77 2e 77 33 2e  6f 72 67 2f 54 52 2f 78  /www.w3.org/TR/x |
 | 000a0  68 74 6d 6c 31 2f 44 54  44 2f 78 68 74 6d 6c 31  html1/DTD/xhtml1 |
 | 000b0  2d 74 72 61 6e 73 69 74  69 6f 6e 61 6c 2e 64 74  -transitional.dt |
 | 000c0  64 22 3e 0a 3c 68 74 6d  6c 20 78 6d 6c 6e 73 3d  d">.<html xmlns= |
 | 000d0  22 68 74 74 70 3a 2f 2f  77 77 77 2e 77 33 2e 6f  "http://www.w3.o |
 | 000e0  72 67 2f 31 39 39 39 2f  78 68 74 6d 6c 22 20 6c  rg/1999/xhtml" l |
 | 000f0  61 6e 67 3d 22 65 6e 2d  55 53 22 20 78 6d 6c 3a  ang="en-US" xml: |
 | 00100  6c 61 6e 67 3d 22 65 6e  2d 55 53 22 3e 0a 3c 68  lang="en-US">.<h |
 | 00110  65 61 64 3e 0a 3c 74 69  74 6c 65 3e 4e 6f 74 20  ead>.<title>Not  |
 | 00120  66 6f 75 6e 64 3c 2f 74  69 74 6c 65 3e 0a 3c 6d  found</title>.<m |
 | 00130  65 74 61 20 68 74 74 70  2d 65 71 75 69 76 3d 22  eta http-equiv=" |
 | 00140  43 6f 6e 74 65 6e 74 2d  54 79 70 65 22 20 63 6f  Content-Type" co |
 | 00150  6e 74 65 6e 74 3d 22 74  65 78 74 2f 68 74 6d 6c  ntent="text/html |
 | 00160  3b 20 63 68 61 72 73 65  74 3d 69 73 6f 2d 38 38  ; charset=iso-88 |
 | 00170  35 39 2d 31 22 20 2f 3e  0a 3c 2f 68 65 61 64 3e  59-1" />.</head> |
 | 00180  0a 3c 62 6f 64 79 3e 0a  3c 68 31 3e 4e 6f 74 20  .<body>.<h1>Not  |
 | 00190  66 6f 75 6e 64 3c 2f 68  31 3e 0a 3c 2f 62 6f 64  found</h1>.</bod |
 | 001a0  79 3e 0a 3c 2f 68 74 6d  6c 3e                    y>.</html>       |
30178 close(7)                          = 0

...

dgit: error: fetch of http://127.0.0.1:40339/pari-extra.git/HEAD failed (Weird 
server reply):

-- 
Ian Jackson <[email protected]>   These opinions are my own.  

Pronouns: they/he.  If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.

--- End Message ---
--- Begin Message --- 
Source: curl
Source-Version: 8.6.0-2
Done: Samuel Henrique <[email protected]>

We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Samuel Henrique <[email protected]> (supplier of updated curl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 06 Feb 2024 20:52:46 +0000
Source: curl
Architecture: source
Version: 8.6.0-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Curl Maintainers <[email protected]>
Changed-By: Samuel Henrique <[email protected]>
Closes: 1063342
Changes:
 curl (8.6.0-2) unstable; urgency=medium
 .
   * d/p/sendf_ignore_response_body_to_head.patch: New upstream patch to fix a
     compat issue (closes: #1063342)
   * d/control: Switch from pkg-config to pkgconf
Checksums-Sha1:
 b0d41c2c7ccd0ca20ca9d1dd40ff50341b46b9b6 3053 curl_8.6.0-2.dsc
 ec363b8c17ce83af85f4f18f6c5a2f19efd4e0e3 4381562 curl_8.6.0.orig.tar.gz
 681a8e29d44a820e93b683932a7616d6d207bd96 488 curl_8.6.0.orig.tar.gz.asc
 54842ae4c20834a8c3fe03d0cdff62c33373934d 47492 curl_8.6.0-2.debian.tar.xz
 c024cd8bb73f7ba6fe5c8a531a99a80881db1af3 12122 curl_8.6.0-2_amd64.buildinfo
Checksums-Sha256:
 91ca36df44fc55d12deca3847d76812189617af2631c8e305920f44a6471dafb 3053 
curl_8.6.0-2.dsc
 9c6db808160015f30f3c656c0dec125feb9dc00753596bf858a272b5dd8dc398 4381562 
curl_8.6.0.orig.tar.gz
 ad4096ad10259c44e9e832c64189050412f71befb9a9465b8c40b178c5a3d88f 488 
curl_8.6.0.orig.tar.gz.asc
 9e423417a2f5891bc5a77b7e9dafee1ee415cff13d4df38c3f89dacdcb487c9b 47492 
curl_8.6.0-2.debian.tar.xz
 3d8abcec246118498c063f05e93b5937e30b5ba36c32ee559a52e2fb654b5425 12122 
curl_8.6.0-2_amd64.buildinfo
Files:
 45a5a3495dc8a93fb61fd9b1756dbd03 3053 web optional curl_8.6.0-2.dsc
 6178ea567611c2aaffafc88f91fb4238 4381562 web optional curl_8.6.0.orig.tar.gz
 4f2825e6fc5e2aaf67c5b4f98f5cb664 488 web optional curl_8.6.0.orig.tar.gz.asc
 94c06f7fe153b0118997e35f4f4ebc2a 47492 web optional curl_8.6.0-2.debian.tar.xz
 87920dc6653826ead32187ff66dcfa31 12122 web optional 
curl_8.6.0-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEBdtqg34QX0sdAsVfu6n6rcz7RwcFAmXCrYIACgkQu6n6rcz7
RweEsw//dHiufHQ7A9sv9pzGetizu3xe8kFpZY8u7pdvQ5Ysuefmrbsm2iHErYIe
3XNp+Bj9vl/kBN/Oqalpw22MaFR95Nts2mXobWHVBY2S8zMbkYK2y9ys35tdUtEH
+x9dyEQ+dlVBYtQ61xb7X8u7ClpENlBiZ4o08q4/vJRTX/16Nc/P6YM5x1CS32xI
eaHJC2BbJqFpkHBHhOhSieSg5fGfVwL+iY52+0wEJqzlx7mZecuHcWxkuMVAA/mQ
GyzW4T5yBosaSauUNRbHuA9wUZIi0/yQHFndzWUoLUQrMc1fe/3Ahv86TpWuoq7b
/z/BqoI733m9opPRLov2njKJ0OI4yu0QlDa9zBkKfhlYdJ1b5yhenOGmKaOOS+UA
KdmGSvR5zKy/x7yKgZBJmUREFSP2fd4Kt8b0+PuIyFoYGIDzZJL7gkGNVlcG6Zhp
qPi1zpXkpeVt1sh+iO6c7MxokOjcPqUjo2Kdrm5KX90BWFtymyHeGKR1XileUGL/
6g6KhhX/SdWeJqk4u4O2n9+nZlscLTOLzv0khq59lnJJlUSVUVpLy8NLE0tJFwgS
eNKKR+2coz0LUhgLDGp9LAtwoPhb4Tritnpo0X7r80BYMinP+jFkxgyFDO0HrE4h
BiFwvZ+Nm8AdvaljttyhIRsjHUIBdyfNalH7+Ffklzz8TGN9b/k=
=ItKv
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to