Received: from mail-lf1-f67.google.com (mail-lf1-f67.google.com [209.85.167.67])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 446C8781AC4
	for <~alpine/users@lists.alpinelinux.org>; Fri, 22 May 2020 22:27:49 +0000 (UTC)
Received: by mail-lf1-f67.google.com with SMTP id 202so7382595lfe.5
        for <~alpine/users@lists.alpinelinux.org>; Fri, 22 May 2020 15:27:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :content-transfer-encoding;
        bh=0DUuGuBvaF4iKc+v8w68N17QzhCfXSdvtJZ2rvXtaO4=;
        b=fMsWV8iUZKlyqvkMlJCjGuV+X2zxEsORjPuHxOl8bscjTWcF1GAIShenCF8uzxqxI7
         NE3TIXYFACiddVNS0yLvKmw46TvHxMUXk9DQ/UlE4u2K/x99AlAiAaTmeKKm7TkvETRX
         +DCtIT70p/XUXPWLoqR003SlstgnT1z7sH62j9NEcPwnWdP2b8K+3xeEJUgG6ZystJys
         nA0FkxChZF4zbfGA8PmNlP7lWXujaPCRooOnrvw8uZCGWZDM2lUGBpcwWH5BWpnNcvvW
         1h6ld2mjqZH9Pi7D6vNJ6xLZAu8sVew4Fn/M4gn0l1AYIPm5QcbxgC87Ltd4WvUPwReF
         qOGg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:content-transfer-encoding;
        bh=0DUuGuBvaF4iKc+v8w68N17QzhCfXSdvtJZ2rvXtaO4=;
        b=ghhdy3/eVJVutxg5WvlcycUblFNy7HS8MnUxpFs4HE1vtpKE+tHDKaguiXQOHQIxPM
         uG9ac6OL1TOQW3eZ8E+cTA8LXYAMsVAa+r7JgSgUmm8VjxsvjU1t3YCjj7aCl5J+QtpL
         UJ6EhBZQHnlNk3c8C17Dj0dTUWypzo7RtdDvf4tk2Zgjlux0ts2pr6zSJjDu+f1AAlLO
         CViJWncngaoJU3FbCdcYpo9c5yUj/Jgo26++RiXsaZ9NRNl6Np13SZi/LWp9EsbGy75B
         zIoqyyZ2SR6wgNhpJAcDOHOFcop3VZ06sHficCMlPm+7iajrR0FwPwBP+TwnZi8nwnrZ
         Jaew==
X-Gm-Message-State: AOAM532RX4UjNamkOFV3+nRZBtpS2bjKmWnBbmjXG7IitLCiz5nRNXoy
	kv2Ko0ZknANR0oJ8AiOuynUxK7bgADiVs+SUWLH7CAph
X-Google-Smtp-Source: ABdhPJygxVXm3bk3PlNOq+omAn/WlbYahgZ/ymb9FeVxcJS+sTsfKiuavO1xHkYMh0/p253y9P7RscdsYQHLEqb2emU=
X-Received: by 2002:a19:2250:: with SMTP id i77mr8660693lfi.133.1590186466070;
 Fri, 22 May 2020 15:27:46 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a05:6512:3047:0:0:0:0 with HTTP; Fri, 22 May 2020 15:27:45
 -0700 (PDT)
In-Reply-To: <CAG5E=Nfdh-+P1DpRKmpYbnH1pc9JPZ9RVvgq3d+GKx0gO7FvKQ@mail.gmail.com>
References: <CAG5E=Ndf=c1+Hwt2rY=K-kJTtWuMHLnitDoCLrCKkp7n5ksD6w@mail.gmail.com>
 <CALci+FR-dcXv1hzeSq3hBXG72iQWP=6ddP9XmhzapPiYPd+h3Q@mail.gmail.com> <CAG5E=Nfdh-+P1DpRKmpYbnH1pc9JPZ9RVvgq3d+GKx0gO7FvKQ@mail.gmail.com>
From: PICCORO McKAY Lenz <mckaygerhard@gmail.com>
Date: Fri, 22 May 2020 18:27:45 -0400
Message-ID: <CALci+FQoHA1JrURBmOceX8xC3RQmjnyPOYJrQQaCtmYA+Xrhsw@mail.gmail.com>
Subject: Re: curl large header issue https
To: ~alpine/users@lists.alpinelinux.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

i dont use.. in fact i never used lasted of any thing installed! sorry!

2020-05-22 10:11 GMT-04:00, Axel U <ulrich.axel@gmail.com>:
> On Fri, May 22, 2020 at 12:51 AM PICCORO McKAY Lenz
> <mckaygerhard@gmail.com> wrote:
>>
>> https://github.com/curl/curl/issues/659 ????
>>
>
> curl issue #659 is about http2.
> Some tests are skipped in the scripts with a reference to this exact curl
> issue.
> My issue is present with http protocol below v2.
>
> Can you confirm the error I am having?
>
> Step 1 in terminal one (server side):
> $ ncat -lvp 48443 --ssl -c 'xargs -n1 echo'
>
> Step 2 in terminal two (client side):
> $ perl -e '$b=3D`curl --insecure --http0.9 --silent --show-error \
>     -H foo:@{["0123456789"x2000]} \
>     -H zzz:here https://127.0.0.1:48443/`;print $b;'
>
> Step 3 in terminal one:
> Press Ctrl-C
>
> Step 4 in terminal two:
> Observe the output - reports an error.
>
>> Lenz McKAY Gerardo (PICCORO)
>> http://qgqlochekone.blogspot.com
>>
>>
>> El jue., 21 de may. de 2020 a la(s) 16:11, Axel U (ulrich.axel@gmail.com=
)
>> escribi=C3=B3:
>>>
>>> If someone could follow steps below to confirm what I am seeing, I
>>> would appreciate it, to exclude something wrong with my setup.
>>>
>>> Environment Alpine 3.11
>>> $ curl --version
>>> curl 7.67.0 (x86_64-alpine-linux-musl) libcurl/7.67.0 OpenSSL/1.1.1g
>>> zlib/1.2.11 nghttp2/1.40.0
>>> ..
>>>
>>> This is not a discussion that servers should reject large headers for
>>> security reasons or similar.
>>> I found the issue originally when running an existing set of test
>>> scripts that check server behavior for http1.1 requests with large
>>> headers. When running those test scripts on an Alpine host, curl
>>> reports an empty server response error (52), but the request with curl
>>> succeeds on another distro against the same server.  Also, wget on
>>> Alpine has no issue with essentially the same request against the same
>>> server. So the test scripts in question would have to be adapted when
>>> running them on an Alpine host to use wget instead of curl, but before
>>> doing so, it smells like a curl issue on Alpine, so if someone could
>>> confirm, I would appreciate it, to exclude something wrong with my
>>> setup. I tried it on two Alpine hosts I have access to with the same
>>> result. I tried the same on another distro and don=E2=80=99t have the i=
ssue.
>>>
>>> Note: Below steps are only set to http 0.9 because of ncat, as I tried
>>> to come up with the easiest setup to reproduce using standard tools
>>> and one line commands.  So if you find or already run or want to setup
>>> a http/https server that accepts large header sizes to test this
>>> against and echos it back, then run this for http1.1 (to get error
>>> 52). This occurs on https only.
>>>
>>> Steps to reproduce
>>>
>>> on the host we need curl, wget (to replace BusyBox=E2=80=99s wget
>>> implementation), findutils (to replace BusyBox=E2=80=99s xargs
>>> implementation), nmap-ncat and perl
>>>
>>> In Step 2 below change the multiplier (example has it as 2000) to vary
>>> the header size; for me up to 1600 success, 1700+ error.
>>>
>>> We need two terminals open: terminal one and terminal two
>>>
>>> Step 1 in terminal one (server side):
>>> $ ncat -lvp 48443 --ssl -c 'xargs -n1 echo'
>>>
>>> Step 2 in terminal two (client side):
>>> $ perl -e '$b=3D`curl --insecure --http0.9 --silent --show-error -H
>>> foo:@{["0123456789"x2000]} -H zzz:here https://127.0.0.1:48443/`;print
>>> $b;'
>>>
>>> Step 3 in terminal one:
>>> Press Ctrl-C
>>>
>>> Step 4 in terminal two:
>>> Observe the output - reports an error.
>>>
>>>
>>> Repeat above using wget instead of curl in Step 2 in terminal two =3D n=
o
>>> issue:
>>> $ perl -e '$b=3D`wget --no-check-certificate -O -
>>> --header=3D"foo:@{["0123456789"x2000]}" --header=3D"zzz:here"
>>> https://127.0.0.1:48443/`;print $b;'
>>>
>>>
>>> Repeat above with curl against http server =3D no issue:
>>> Step 1 in terminal one (server side):
>>> $ ncat -lvp 48080 -c 'xargs -n1 echo'
>>>
>>> Step 2 in terminal two (client side):
>>> $ perl -e '$b=3D`curl --silent --http0.9 --show-error -H
>>> foo:@{["0123456789"x2000]} -H zzz:here http://127.0.0.1:48080/`;print
>>> $b;'
>>>
>>> Step 3 and 4 as above.
>>>
>>>
>>> Repeat original steps unchanged (curl/https) on another distro that
>>> has same tools installed =3D no issue.
>


--=20
Lenz McKAY Gerardo (PICCORO)
http://qgqlochekone.blogspot.com