~alpine/users

3 2

curl large header issue https

Axel U
Details
Message ID
<CAG5E=Ndf=c1+Hwt2rY=K-kJTtWuMHLnitDoCLrCKkp7n5ksD6w@mail.gmail.com>
DKIM signature
missing
Download raw message
If someone could follow steps below to confirm what I am seeing, I
would appreciate it, to exclude something wrong with my setup.

Environment Alpine 3.11
$ curl --version
curl 7.67.0 (x86_64-alpine-linux-musl) libcurl/7.67.0 OpenSSL/1.1.1g
zlib/1.2.11 nghttp2/1.40.0
..

This is not a discussion that servers should reject large headers for
security reasons or similar.
I found the issue originally when running an existing set of test
scripts that check server behavior for http1.1 requests with large
headers. When running those test scripts on an Alpine host, curl
reports an empty server response error (52), but the request with curl
succeeds on another distro against the same server.  Also, wget on
Alpine has no issue with essentially the same request against the same
server. So the test scripts in question would have to be adapted when
running them on an Alpine host to use wget instead of curl, but before
doing so, it smells like a curl issue on Alpine, so if someone could
confirm, I would appreciate it, to exclude something wrong with my
setup. I tried it on two Alpine hosts I have access to with the same
result. I tried the same on another distro and don’t have the issue.

Note: Below steps are only set to http 0.9 because of ncat, as I tried
to come up with the easiest setup to reproduce using standard tools
and one line commands.  So if you find or already run or want to setup
a http/https server that accepts large header sizes to test this
against and echos it back, then run this for http1.1 (to get error
52). This occurs on https only.

Steps to reproduce

on the host we need curl, wget (to replace BusyBox’s wget
implementation), findutils (to replace BusyBox’s xargs
implementation), nmap-ncat and perl

In Step 2 below change the multiplier (example has it as 2000) to vary
the header size; for me up to 1600 success, 1700+ error.

We need two terminals open: terminal one and terminal two

Step 1 in terminal one (server side):
$ ncat -lvp 48443 --ssl -c 'xargs -n1 echo'

Step 2 in terminal two (client side):
$ perl -e '$b=`curl --insecure --http0.9 --silent --show-error -H
foo:@{["0123456789"x2000]} -H zzz:here https://127.0.0.1:48443/`;print
$b;'

Step 3 in terminal one:
Press Ctrl-C

Step 4 in terminal two:
Observe the output - reports an error.


Repeat above using wget instead of curl in Step 2 in terminal two = no issue:
$ perl -e '$b=`wget --no-check-certificate -O -
--header="foo:@{["0123456789"x2000]}" --header="zzz:here"
https://127.0.0.1:48443/`;print $b;'


Repeat above with curl against http server = no issue:
Step 1 in terminal one (server side):
$ ncat -lvp 48080 -c 'xargs -n1 echo'

Step 2 in terminal two (client side):
$ perl -e '$b=`curl --silent --http0.9 --show-error -H
foo:@{["0123456789"x2000]} -H zzz:here http://127.0.0.1:48080/`;print
$b;'

Step 3 and 4 as above.


Repeat original steps unchanged (curl/https) on another distro that
has same tools installed = no issue.
PICCORO McKAY Lenz
Details
Message ID
<CALci+FR-dcXv1hzeSq3hBXG72iQWP=6ddP9XmhzapPiYPd+h3Q@mail.gmail.com>
In-Reply-To
<CAG5E=Ndf=c1+Hwt2rY=K-kJTtWuMHLnitDoCLrCKkp7n5ksD6w@mail.gmail.com> (view parent)
DKIM signature
missing
Download raw message
https://github.com/curl/curl/issues/659 ????

Lenz McKAY Gerardo (PICCORO)
http://qgqlochekone.blogspot.com


El jue., 21 de may. de 2020 a la(s) 16:11, Axel U (ulrich.axel@gmail.com)
escribió:

> If someone could follow steps below to confirm what I am seeing, I
> would appreciate it, to exclude something wrong with my setup.
>
> Environment Alpine 3.11
> $ curl --version
> curl 7.67.0 (x86_64-alpine-linux-musl) libcurl/7.67.0 OpenSSL/1.1.1g
> zlib/1.2.11 nghttp2/1.40.0
> ..
>
> This is not a discussion that servers should reject large headers for
> security reasons or similar.
> I found the issue originally when running an existing set of test
> scripts that check server behavior for http1.1 requests with large
> headers. When running those test scripts on an Alpine host, curl
> reports an empty server response error (52), but the request with curl
> succeeds on another distro against the same server.  Also, wget on
> Alpine has no issue with essentially the same request against the same
> server. So the test scripts in question would have to be adapted when
> running them on an Alpine host to use wget instead of curl, but before
> doing so, it smells like a curl issue on Alpine, so if someone could
> confirm, I would appreciate it, to exclude something wrong with my
> setup. I tried it on two Alpine hosts I have access to with the same
> result. I tried the same on another distro and don’t have the issue.
>
> Note: Below steps are only set to http 0.9 because of ncat, as I tried
> to come up with the easiest setup to reproduce using standard tools
> and one line commands.  So if you find or already run or want to setup
> a http/https server that accepts large header sizes to test this
> against and echos it back, then run this for http1.1 (to get error
> 52). This occurs on https only.
>
> Steps to reproduce
>
> on the host we need curl, wget (to replace BusyBox’s wget
> implementation), findutils (to replace BusyBox’s xargs
> implementation), nmap-ncat and perl
>
> In Step 2 below change the multiplier (example has it as 2000) to vary
> the header size; for me up to 1600 success, 1700+ error.
>
> We need two terminals open: terminal one and terminal two
>
> Step 1 in terminal one (server side):
> $ ncat -lvp 48443 --ssl -c 'xargs -n1 echo'
>
> Step 2 in terminal two (client side):
> $ perl -e '$b=`curl --insecure --http0.9 --silent --show-error -H
> foo:@{["0123456789"x2000]} -H zzz:here https://127.0.0.1:48443/`;print
> <https://127.0.0.1:48443/;print>
> $b;'
>
> Step 3 in terminal one:
> Press Ctrl-C
>
> Step 4 in terminal two:
> Observe the output - reports an error.
>
>
> Repeat above using wget instead of curl in Step 2 in terminal two = no
> issue:
> $ perl -e '$b=`wget --no-check-certificate -O -
> --header="foo:@{["0123456789"x2000]}" --header="zzz:here"
> https://127.0.0.1:48443/`;print <https://127.0.0.1:48443/;print> $b;'
>
>
> Repeat above with curl against http server = no issue:
> Step 1 in terminal one (server side):
> $ ncat -lvp 48080 -c 'xargs -n1 echo'
>
> Step 2 in terminal two (client side):
> $ perl -e '$b=`curl --silent --http0.9 --show-error -H
> foo:@{["0123456789"x2000]} -H zzz:here http://127.0.0.1:48080/`;print
> <http://127.0.0.1:48080/;print>
> $b;'
>
> Step 3 and 4 as above.
>
>
> Repeat original steps unchanged (curl/https) on another distro that
> has same tools installed = no issue.
>
Axel U
Details
Message ID
<CAG5E=Nfdh-+P1DpRKmpYbnH1pc9JPZ9RVvgq3d+GKx0gO7FvKQ@mail.gmail.com>
In-Reply-To
<CALci+FR-dcXv1hzeSq3hBXG72iQWP=6ddP9XmhzapPiYPd+h3Q@mail.gmail.com> (view parent)
DKIM signature
missing
Download raw message
On Fri, May 22, 2020 at 12:51 AM PICCORO McKAY Lenz
<mckaygerhard@gmail.com> wrote:
>
> https://github.com/curl/curl/issues/659 ????
>

curl issue #659 is about http2.
Some tests are skipped in the scripts with a reference to this exact curl issue.
My issue is present with http protocol below v2.

Can you confirm the error I am having?

Step 1 in terminal one (server side):
$ ncat -lvp 48443 --ssl -c 'xargs -n1 echo'

Step 2 in terminal two (client side):
$ perl -e '$b=`curl --insecure --http0.9 --silent --show-error \
    -H foo:@{["0123456789"x2000]} \
    -H zzz:here https://127.0.0.1:48443/`;print $b;'

Step 3 in terminal one:
Press Ctrl-C

Step 4 in terminal two:
Observe the output - reports an error.

> Lenz McKAY Gerardo (PICCORO)
> http://qgqlochekone.blogspot.com
>
>
> El jue., 21 de may. de 2020 a la(s) 16:11, Axel U (ulrich.axel@gmail.com) escribió:
>>
>> If someone could follow steps below to confirm what I am seeing, I
>> would appreciate it, to exclude something wrong with my setup.
>>
>> Environment Alpine 3.11
>> $ curl --version
>> curl 7.67.0 (x86_64-alpine-linux-musl) libcurl/7.67.0 OpenSSL/1.1.1g
>> zlib/1.2.11 nghttp2/1.40.0
>> ..
>>
>> This is not a discussion that servers should reject large headers for
>> security reasons or similar.
>> I found the issue originally when running an existing set of test
>> scripts that check server behavior for http1.1 requests with large
>> headers. When running those test scripts on an Alpine host, curl
>> reports an empty server response error (52), but the request with curl
>> succeeds on another distro against the same server.  Also, wget on
>> Alpine has no issue with essentially the same request against the same
>> server. So the test scripts in question would have to be adapted when
>> running them on an Alpine host to use wget instead of curl, but before
>> doing so, it smells like a curl issue on Alpine, so if someone could
>> confirm, I would appreciate it, to exclude something wrong with my
>> setup. I tried it on two Alpine hosts I have access to with the same
>> result. I tried the same on another distro and don’t have the issue.
>>
>> Note: Below steps are only set to http 0.9 because of ncat, as I tried
>> to come up with the easiest setup to reproduce using standard tools
>> and one line commands.  So if you find or already run or want to setup
>> a http/https server that accepts large header sizes to test this
>> against and echos it back, then run this for http1.1 (to get error
>> 52). This occurs on https only.
>>
>> Steps to reproduce
>>
>> on the host we need curl, wget (to replace BusyBox’s wget
>> implementation), findutils (to replace BusyBox’s xargs
>> implementation), nmap-ncat and perl
>>
>> In Step 2 below change the multiplier (example has it as 2000) to vary
>> the header size; for me up to 1600 success, 1700+ error.
>>
>> We need two terminals open: terminal one and terminal two
>>
>> Step 1 in terminal one (server side):
>> $ ncat -lvp 48443 --ssl -c 'xargs -n1 echo'
>>
>> Step 2 in terminal two (client side):
>> $ perl -e '$b=`curl --insecure --http0.9 --silent --show-error -H
>> foo:@{["0123456789"x2000]} -H zzz:here https://127.0.0.1:48443/`;print
>> $b;'
>>
>> Step 3 in terminal one:
>> Press Ctrl-C
>>
>> Step 4 in terminal two:
>> Observe the output - reports an error.
>>
>>
>> Repeat above using wget instead of curl in Step 2 in terminal two = no issue:
>> $ perl -e '$b=`wget --no-check-certificate -O -
>> --header="foo:@{["0123456789"x2000]}" --header="zzz:here"
>> https://127.0.0.1:48443/`;print $b;'
>>
>>
>> Repeat above with curl against http server = no issue:
>> Step 1 in terminal one (server side):
>> $ ncat -lvp 48080 -c 'xargs -n1 echo'
>>
>> Step 2 in terminal two (client side):
>> $ perl -e '$b=`curl --silent --http0.9 --show-error -H
>> foo:@{["0123456789"x2000]} -H zzz:here http://127.0.0.1:48080/`;print
>> $b;'
>>
>> Step 3 and 4 as above.
>>
>>
>> Repeat original steps unchanged (curl/https) on another distro that
>> has same tools installed = no issue.
PICCORO McKAY Lenz
Details
Message ID
<CALci+FQoHA1JrURBmOceX8xC3RQmjnyPOYJrQQaCtmYA+Xrhsw@mail.gmail.com>
In-Reply-To
<CAG5E=Nfdh-+P1DpRKmpYbnH1pc9JPZ9RVvgq3d+GKx0gO7FvKQ@mail.gmail.com> (view parent)
DKIM signature
missing
Download raw message
i dont use.. in fact i never used lasted of any thing installed! sorry!

2020-05-22 10:11 GMT-04:00, Axel U <ulrich.axel@gmail.com>:
> On Fri, May 22, 2020 at 12:51 AM PICCORO McKAY Lenz
> <mckaygerhard@gmail.com> wrote:
>>
>> https://github.com/curl/curl/issues/659 ????
>>
>
> curl issue #659 is about http2.
> Some tests are skipped in the scripts with a reference to this exact curl
> issue.
> My issue is present with http protocol below v2.
>
> Can you confirm the error I am having?
>
> Step 1 in terminal one (server side):
> $ ncat -lvp 48443 --ssl -c 'xargs -n1 echo'
>
> Step 2 in terminal two (client side):
> $ perl -e '$b=`curl --insecure --http0.9 --silent --show-error \
>     -H foo:@{["0123456789"x2000]} \
>     -H zzz:here https://127.0.0.1:48443/`;print $b;'
>
> Step 3 in terminal one:
> Press Ctrl-C
>
> Step 4 in terminal two:
> Observe the output - reports an error.
>
>> Lenz McKAY Gerardo (PICCORO)
>> http://qgqlochekone.blogspot.com
>>
>>
>> El jue., 21 de may. de 2020 a la(s) 16:11, Axel U (ulrich.axel@gmail.com)
>> escribió:
>>>
>>> If someone could follow steps below to confirm what I am seeing, I
>>> would appreciate it, to exclude something wrong with my setup.
>>>
>>> Environment Alpine 3.11
>>> $ curl --version
>>> curl 7.67.0 (x86_64-alpine-linux-musl) libcurl/7.67.0 OpenSSL/1.1.1g
>>> zlib/1.2.11 nghttp2/1.40.0
>>> ..
>>>
>>> This is not a discussion that servers should reject large headers for
>>> security reasons or similar.
>>> I found the issue originally when running an existing set of test
>>> scripts that check server behavior for http1.1 requests with large
>>> headers. When running those test scripts on an Alpine host, curl
>>> reports an empty server response error (52), but the request with curl
>>> succeeds on another distro against the same server.  Also, wget on
>>> Alpine has no issue with essentially the same request against the same
>>> server. So the test scripts in question would have to be adapted when
>>> running them on an Alpine host to use wget instead of curl, but before
>>> doing so, it smells like a curl issue on Alpine, so if someone could
>>> confirm, I would appreciate it, to exclude something wrong with my
>>> setup. I tried it on two Alpine hosts I have access to with the same
>>> result. I tried the same on another distro and don’t have the issue.
>>>
>>> Note: Below steps are only set to http 0.9 because of ncat, as I tried
>>> to come up with the easiest setup to reproduce using standard tools
>>> and one line commands.  So if you find or already run or want to setup
>>> a http/https server that accepts large header sizes to test this
>>> against and echos it back, then run this for http1.1 (to get error
>>> 52). This occurs on https only.
>>>
>>> Steps to reproduce
>>>
>>> on the host we need curl, wget (to replace BusyBox’s wget
>>> implementation), findutils (to replace BusyBox’s xargs
>>> implementation), nmap-ncat and perl
>>>
>>> In Step 2 below change the multiplier (example has it as 2000) to vary
>>> the header size; for me up to 1600 success, 1700+ error.
>>>
>>> We need two terminals open: terminal one and terminal two
>>>
>>> Step 1 in terminal one (server side):
>>> $ ncat -lvp 48443 --ssl -c 'xargs -n1 echo'
>>>
>>> Step 2 in terminal two (client side):
>>> $ perl -e '$b=`curl --insecure --http0.9 --silent --show-error -H
>>> foo:@{["0123456789"x2000]} -H zzz:here https://127.0.0.1:48443/`;print
>>> $b;'
>>>
>>> Step 3 in terminal one:
>>> Press Ctrl-C
>>>
>>> Step 4 in terminal two:
>>> Observe the output - reports an error.
>>>
>>>
>>> Repeat above using wget instead of curl in Step 2 in terminal two = no
>>> issue:
>>> $ perl -e '$b=`wget --no-check-certificate -O -
>>> --header="foo:@{["0123456789"x2000]}" --header="zzz:here"
>>> https://127.0.0.1:48443/`;print $b;'
>>>
>>>
>>> Repeat above with curl against http server = no issue:
>>> Step 1 in terminal one (server side):
>>> $ ncat -lvp 48080 -c 'xargs -n1 echo'
>>>
>>> Step 2 in terminal two (client side):
>>> $ perl -e '$b=`curl --silent --http0.9 --show-error -H
>>> foo:@{["0123456789"x2000]} -H zzz:here http://127.0.0.1:48080/`;print
>>> $b;'
>>>
>>> Step 3 and 4 as above.
>>>
>>>
>>> Repeat original steps unchanged (curl/https) on another distro that
>>> has same tools installed = no issue.
>


-- 
Lenz McKAY Gerardo (PICCORO)
http://qgqlochekone.blogspot.com