Download
Browse source Changelog tiny-curl
Documentation
Project   Bug Bounty   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users Mailing lists Book: Everything curl Video presentations Report a bug Paid support
Development
Autobuilds Code review Code style Contribute Dashboard Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

FW: GET http request

From: Dewancker, Bart via curl-library <curl-library_at_cool.haxx.se>
Date: Tue, 8 Sep 2020 14:29:33 +0000

Van: Dewancker, Bart
Verzonden: dinsdag 8 september 2020 12:23
Aan: Daniel Stenberg <daniel_at_haxx.se>; Erik Janssen <Erik.Janssen_at_axis.com>
Onderwerp: GET http request

Hi Daniel, Erik,

Thanks for the feedback. We use asan as an address-sanitizer.

The theory is one possible explanation, but one question to help me understand what is going wrong. As I understand it, the first request in the WireShark is sent by our video recorder. After the unauthorized response, we see in the WireShark that a second request is sent to the Axis camera. But we do not launch a second request in our video recorder. Is this second request launched by the libcurl?

I have simulated with the command line and indeed see a second request in which the url is unchanged compared to the first request. But why are we seeing the changed url in the WireShark?

[cid:image003.jpg_at_01D685FD.42CF72C0]

WireShark trace with modified url:

[cid:image002.jpg_at_01D685DA.C3BB6010]

Thanks,

Bart

-----Oorspronkelijk bericht-----
Van: Daniel Stenberg <daniel_at_haxx.se<mailto:daniel_at_haxx.se>>
Verzonden: dinsdag 8 september 2020 11:01
Aan: Dewancker, Bart via curl-library <curl-library_at_cool.haxx.se<mailto:curl-library_at_cool.haxx.se>>
CC: Dewancker, Bart <bart.dewancker_at_xtralis.com<mailto:bart.dewancker_at_xtralis.com>>
Onderwerp: [External] Re: GET http request

On Tue, 8 Sep 2020, Dewancker, Bart via curl-library wrote:

> in this second request, some extra data has been added to the url head:

> /axis-cgi/admin/10.0.0.180 (see Figure 3).Due to this extra

> information, the requested page cannot be found. We have not seen this

> behavior on Debian stretch OS with Curl version 7.52. Is this a new

> option in version 7.64 compared to version 7.52? And if so, how can we disable this option?

curl would never change the URL like that (on purpose).

Since I don't recognize this as a libcurl bug I suspect this is an issue in your code. Have you run your application with valgrind / address-sanitizer ?

A theory: the step from 7.52 to 7.64 meant switching to a curl version where we redid the URL parsing and handling so maybe a mistake from before somehow didn't have an effect until libcurl changed. 

--
  / daniel.haxx.se | Commercial curl support up to 24x7 is available!
                   | Private help, bug fixes, support, ports, new features
                   | https://www.wolfssl.com/contact/

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html

image002.jpg image003.jpg
Received on 2020-09-08