Bug#620344: apt: http method sends bogus Host: header

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#620344: apt: http method sends bogus Host: header
From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Date: Fri, 01 Apr 2011 12:12:47 +0200
Message-id: <[🔎] 20110401101247.31470.15237.reportbug@perseus.lan>
Reply-to: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>, 620344@bugs.debian.org
Package: apt
Version: 0.8.10.3
Severity: normal

Hello,

I configured a http source line using an ipv6 IP

	deb http://[2345:abcd::1]/debian/ squeeze main contrib non-free

and this results in

	Err http://[2345:abcd::1] squeeze/main amd64 Packages 
	  400  Bad Request

because the Host: header in the http request is bogus, it sends

	Host: 2345:abcd::1

instead of

	Host: [2345:abcd::1]

This is similar to

	http://openradar.appspot.com/7015651

Reading rfc2616:

14.23 Host

   The Host request-header field specifies the Internet host and port
   number of the resource being requested, as obtained from the original
   URI given by the user or referring resource [...]

So I'd interpret apt's behaviour as a violation of rfc2616. (But I don't
have much expertise here, so I might be wrong.)

Best regards
Uwe

PS: the ip address isn't the real one.

-- Package-specific info:

-- apt-config dump --

APT "";
APT::Architecture "amd64";
APT::Build-Essential "";
APT::Build-Essential:: "build-essential";
APT::Install-Recommends "1";
APT::Install-Suggests "0";
APT::Acquire "";
APT::Acquire::Translation "environment";
APT::Authentication "";
APT::Authentication::TrustCDROM "true";
APT::NeverAutoRemove "";
APT::NeverAutoRemove:: "^firmware-linux.*";
APT::NeverAutoRemove:: "^linux-firmware$";
APT::NeverAutoRemove:: "^linux-image.*";
APT::NeverAutoRemove:: "^kfreebsd-image.*";
APT::NeverAutoRemove:: "^linux-restricted-modules.*";
APT::NeverAutoRemove:: "^linux-ubuntu-modules-.*";
APT::Never-MarkAuto-Sections "";
APT::Never-MarkAuto-Sections:: "metapackages";
APT::Never-MarkAuto-Sections:: "restricted/metapackages";
APT::Never-MarkAuto-Sections:: "universe/metapackages";
APT::Never-MarkAuto-Sections:: "multiverse/metapackages";
APT::Never-MarkAuto-Sections:: "oldlibs";
APT::Never-MarkAuto-Sections:: "restricted/oldlibs";
APT::Never-MarkAuto-Sections:: "universe/oldlibs";
APT::Never-MarkAuto-Sections:: "multiverse/oldlibs";
APT::Periodic "";
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "0";
APT::Periodic::AutocleanInterval "0";
APT::Update "";
APT::Update::Post-Invoke "";
APT::Update::Post-Invoke:: "touch /var/lib/apt/periodic/update-success-stamp 2>/dev/null || true";
APT::Update::Post-Invoke-Success "";
APT::Update::Post-Invoke-Success:: "[ ! -f /var/run/dbus/system_bus_socket ] || /usr/bin/dbus-send --system --dest=org.debian.apt --type=signal /org/debian/apt org.debian.apt.CacheChanged || true";
APT::Archives "";
APT::Archives::MaxAge "30";
APT::Archives::MinAge "2";
APT::Archives::MaxSize "500";
Dir "/";
Dir::State "var/lib/apt/";
Dir::State::lists "lists/";
Dir::State::cdroms "cdroms.list";
Dir::State::mirrors "mirrors/";
Dir::State::extended_states "extended_states";
Dir::State::status "/var/lib/dpkg/status";
Dir::Cache "var/cache/apt/";
Dir::Cache::archives "archives/";
Dir::Cache::srcpkgcache "srcpkgcache.bin";
Dir::Cache::pkgcache "pkgcache.bin";
Dir::Etc "etc/apt/";
Dir::Etc::sourcelist "sources.list";
Dir::Etc::sourceparts "sources.list.d";
Dir::Etc::vendorlist "vendors.list";
Dir::Etc::vendorparts "vendors.list.d";
Dir::Etc::main "apt.conf";
Dir::Etc::netrc "auth.conf";
Dir::Etc::parts "apt.conf.d";
Dir::Etc::preferences "preferences";
Dir::Etc::preferencesparts "preferences.d";
Dir::Etc::trusted "trusted.gpg";
Dir::Etc::trustedparts "trusted.gpg.d";
Dir::Bin "";
Dir::Bin::methods "/usr/lib/apt/methods";
Dir::Bin::dpkg "/usr/bin/dpkg";
Dir::Media "";
Dir::Media::MountPath "/media/cdrom";
Dir::Log "var/log/apt";
Dir::Log::Terminal "term.log";
Dir::Log::History "history.log";
Dir::Ignore-Files-Silently "";
Dir::Ignore-Files-Silently:: "~$";
Dir::Ignore-Files-Silently:: "\.disabled$";
Dir::Ignore-Files-Silently:: "\.bak$";
Dir::Ignore-Files-Silently:: "\.dpkg-[a-z]+$";
Acquire "";
Acquire::cdrom "";
Acquire::cdrom::mount "/media/cdrom";
DPkg "";
DPkg::Pre-Install-Pkgs "";
DPkg::Pre-Install-Pkgs:: "/usr/bin/apt-listchanges --apt || test $? -ne 10";
DPkg::Pre-Install-Pkgs:: "/usr/sbin/dpkg-preconfigure --apt || true";
DPkg::Tools "";
DPkg::Tools::Options "";
DPkg::Tools::Options::/usr/bin/apt-listchanges "";
DPkg::Tools::Options::/usr/bin/apt-listchanges::Version "2";
DPkg::Post-Invoke "";
DPkg::Post-Invoke:: "if [ -d /var/lib/update-notifier ]; then touch /var/lib/update-notifier/dpkg-run-stamp; fi; if [ -e /var/lib/update-notifier/updates-available ]; then echo > /var/lib/update-notifier/updates-available; fi ";
Unattended-Upgrade "";
Unattended-Upgrade::Allowed-Origins "";
Unattended-Upgrade::Allowed-Origins:: "${distro_id} stable";
Unattended-Upgrade::Allowed-Origins:: "${distro_id} ${distro_codename}-security";
CommandLine "";
CommandLine::AsString "apt-config dump";

-- /etc/apt/preferences --

Package: *
Pin: release n=squeeze
Pin-Priority: 900

Package: *
Pin: release n=squeeze-updates
Pin-Priority: 900

Package: *
Pin: release n=squeeze-proposed-updates
Pin-Priority: 900

Package: *
Pin: release n=wheezy
Pin-Priority: 800

Package: *
Pin: release n=wheezy-proposed-updates
Pin-Priority: 800

Package: *
Pin: release n=sid
Pin-Priority: 700

Package: *
Pin: release n=experimental
Pin-Priority: 600

-- System Information:
Debian Release: 6.0.1
  APT prefers squeeze-updates
  APT policy: (900, 'squeeze-updates'), (900, 'proposed-updates'), (900, 'stable'), (800, 'testing-proposed-updates'), (800, 'testing'), (700, 'unstable'), (600, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages apt depends on:
ii  debian-archive-keyring  2010.08.28       GnuPG archive keys of the Debian a
ii  gnupg                   1.4.10-4         GNU privacy guard - a free PGP rep
ii  libc6                   2.11.2-10        Embedded GNU C Library: Shared lib
ii  libgcc1                 1:4.4.5-8        GCC support library
ii  libstdc++6              4.5.2-4          The GNU Standard C++ Library v3
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

apt recommends no packages.

Versions of packages apt suggests:
pn  apt-doc                     <none>       (no description available)
ii  aptitude                    0.6.3-3.2    terminal-based package manager (te
ii  bzip2                       1.0.5-6      high-quality block-sorting file co
ii  dpkg-dev                    1.15.8.10    Debian package development tools
ii  lzma                        4.43-14      Compression method of 7z format in
ii  python-apt                  0.7.100.1    Python interface to libapt-pkg
ii  synaptic                    0.70~pre1+b1 Graphical package manager

-- no debconf information
Reply to:
Next by Date: Processed: Re: Bug#620344: apt: http method sends bogus Host: header
Next by thread: Processed: Re: Bug#620344: apt: http method sends bogus Host: header
Index(es):
- Date
- Thread