MIME-Version: 1.0
From: Axel U <ulrich.axel@gmail.com>
Date: Thu, 21 May 2020 16:11:00 -0400
Message-ID: <CAG5E=Ndf=c1+Hwt2rY=K-kJTtWuMHLnitDoCLrCKkp7n5ksD6w@mail.gmail.com>
Subject: curl large header issue https
To: ~alpine/users@lists.alpinelinux.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

If someone could follow steps below to confirm what I am seeing, I
would appreciate it, to exclude something wrong with my setup.

Environment Alpine 3.11
$ curl --version
curl 7.67.0 (x86_64-alpine-linux-musl) libcurl/7.67.0 OpenSSL/1.1.1g
zlib/1.2.11 nghttp2/1.40.0
..

This is not a discussion that servers should reject large headers for
security reasons or similar.
I found the issue originally when running an existing set of test
scripts that check server behavior for http1.1 requests with large
headers. When running those test scripts on an Alpine host, curl
reports an empty server response error (52), but the request with curl
succeeds on another distro against the same server.  Also, wget on
Alpine has no issue with essentially the same request against the same
server. So the test scripts in question would have to be adapted when
running them on an Alpine host to use wget instead of curl, but before
doing so, it smells like a curl issue on Alpine, so if someone could
confirm, I would appreciate it, to exclude something wrong with my
setup. I tried it on two Alpine hosts I have access to with the same
result. I tried the same on another distro and don=E2=80=99t have the issue=
.

Note: Below steps are only set to http 0.9 because of ncat, as I tried
to come up with the easiest setup to reproduce using standard tools
and one line commands.  So if you find or already run or want to setup
a http/https server that accepts large header sizes to test this
against and echos it back, then run this for http1.1 (to get error
52). This occurs on https only.

Steps to reproduce

on the host we need curl, wget (to replace BusyBox=E2=80=99s wget
implementation), findutils (to replace BusyBox=E2=80=99s xargs
implementation), nmap-ncat and perl

In Step 2 below change the multiplier (example has it as 2000) to vary
the header size; for me up to 1600 success, 1700+ error.

We need two terminals open: terminal one and terminal two

Step 1 in terminal one (server side):
$ ncat -lvp 48443 --ssl -c 'xargs -n1 echo'

Step 2 in terminal two (client side):
$ perl -e '$b=3D`curl --insecure --http0.9 --silent --show-error -H
foo:@{["0123456789"x2000]} -H zzz:here https://127.0.0.1:48443/`;print
$b;'

Step 3 in terminal one:
Press Ctrl-C

Step 4 in terminal two:
Observe the output - reports an error.


Repeat above using wget instead of curl in Step 2 in terminal two =3D no is=
sue:
$ perl -e '$b=3D`wget --no-check-certificate -O -
--header=3D"foo:@{["0123456789"x2000]}" --header=3D"zzz:here"
https://127.0.0.1:48443/`;print $b;'


Repeat above with curl against http server =3D no issue:
Step 1 in terminal one (server side):
$ ncat -lvp 48080 -c 'xargs -n1 echo'

Step 2 in terminal two (client side):
$ perl -e '$b=3D`curl --silent --http0.9 --show-error -H
foo:@{["0123456789"x2000]} -H zzz:here http://127.0.0.1:48080/`;print
$b;'

Step 3 and 4 as above.


Repeat original steps unchanged (curl/https) on another distro that
has same tools installed =3D no issue.