7.83 breaks multi-line HTTP headers #8844
Comments
|
Yes, that was unintentional. I really had no thought about multi-line when I did that change. Also clearly we have no test case in curl for them. I wouldn't mind bringing back some handling of them - even if the fact that this is noticed only just now indicates that this truly is a feature not widely used out there. After all, this header style has been deprecated for eight years already. (RFC 7230 is from 2014.) If we bring back support for these, we should also add a test case to verify and I figure the header API needs to be either adjusted for it or clarified in docs how it handles them. |
|
Hello, It came up as an autopkgtest regression in Ubuntu and Debian with the move to 7.83. I'm opening a bug report in tornado so that the regression is addressed. Depending on the decision here (i.e., dropping the support for multi-line headers or reintroducing it), the fix will be different. Thanks! |
|
So far, it seems this issue has only been found to break tests, not actual real world use cases. |
|
If you build without headers API support, then maybe this little patch brings it back. I'll need to make a little more to do this "proper": diff --git a/lib/http.c b/lib/http.c
index b215307dc..2c78c3b34 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -3797,15 +3797,20 @@ static CURLcode verify_header(struct Curl_easy *data)
return CURLE_WEIRD_SERVER_REPLY;
}
if(k->headerline < 2)
/* the first "header" is the status-line and it has no colon */
return CURLE_OK;
- ptr = memchr(header, ':', hlen);
- if(!ptr) {
- /* this is bad, bail out */
- failf(data, "Header without colon");
- return CURLE_WEIRD_SERVER_REPLY;
+ if((header[0] == ' ') || (header[0] == '\t'))
+ /* line folding */
+ ;
+ else {
+ ptr = memchr(header, ':', hlen);
+ if(!ptr) {
+ /* this is bad, bail out */
+ failf(data, "Header without colon");
+ return CURLE_WEIRD_SERVER_REPLY;
+ }
}
return CURLE_OK;
}
/* |
Folder header lines will now get passed through like before. The headers API is adapted and will get and provide the content "un-folded". Added test 1274 and extended test 1940 to verify. Fixes #8844 Reported-by: Petr Pisar
Folded header lines will now get passed through like before. The headers API is adapted and will get and provide the content "un-folded". Added test 1274 and extended test 1940 to verify. Fixes #8844 Reported-by: Petr Pisar
I noticed that curl 7.83 started to error on multi-line HTTP headers.
Sending a response like this:
to curl raises this error now:
This is very probably caused by #8610.
https://www.ietf.org/rfc/rfc2616.html#section-4.2 supports these headers:
To my surprise https://www.ietf.org/rfc/rfc7230.html#section-3.2.4 deprecated them:
I found this regression with a test suite of libisds project. That project took the multi-line headers from a specification of a protocol it implements. Checking the latest specification of the protocol, the multi-line headers were replaced with single-line headers.
Still, would you consider restoring the old behavior? Or at least ignoring the consequent lines of the multi-lined headers as recommended with RFC 7230?
The text was updated successfully, but these errors were encountered: