Bug#646381: apt: Apt sends malformed HTTPS requests when including Range/If-Range headers

To: submit@bugs.debian.org
Subject: Bug#646381: apt: Apt sends malformed HTTPS requests when including Range/If-Range headers
From: Mel Collins <mel@raumkraut.net>
Date: Sun, 23 Oct 2011 19:50:00 +0200
Message-id: <[🔎] CAAP4cvHOTsNn+UPbM31P76ubFceATJEC+6=2Y3dVQhXKqmA6mQ@mail.gmail.com>
Reply-to: Mel Collins <mel@raumkraut.net>, 646381@bugs.debian.org

Package: apt
Version: 0.7.25.3ubuntu9.8
Severity: normal

HttpsMethod::Fetch will send an erroneous extra "\r\n" pair when
sending a request with the Range / If-Range headers. Depending on the
server, these extra characters can/will be interpreted as the start of
a new HTTP request on the same connection, but with a blank request
line (which normally looks like: "GET /blah"), which I observe as
resulting in an unexpected 400 response being sent back to apt.

At issue appears to be the following section of code (from line ~243
in methods/https.cc), from trunk at time of writing:

   // if we have the file send an if-range query with a range header
   if (stat(Itm->DestFile.c_str(),&SBuf) >= 0 && SBuf.st_size > 0)
   {
      char Buf[1000];
      sprintf(Buf,"Range: bytes=%li-\r\nIf-Range: %s\r\n",
	      (long)SBuf.st_size - 1,
	      TimeRFC1123(SBuf.st_mtime).c_str());
      headers = curl_slist_append(headers, Buf);
   }

The buffer passed to the curl_slist_append function should not have a
trailing "\r\n" pair, as libcurl will apparently do that for you.
I suspect that the "correct" solution is to actually call
curl_slist_append twice, once for each header, and not manually
concatenate the lines. I'm not so clued up on either C++ or libcurl,
though. :)

- Mel


-- Package-specific info:

-- (no /etc/apt/preferences present) --


-- (/etc/apt/sources.list present, but not submitted) --


-- System Information:
Debian Release: squeeze/sid
  APT prefers lucid-updates
  APT policy: (500, 'lucid-updates'), (500, 'lucid-security'), (500, 'lucid')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-34-generic-pae (SMP w/2 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages apt depends on:
ii  libc6                  2.11.1-0ubuntu7.8 Embedded GNU C Library: Shared lib
ii  libgcc1                1:4.4.3-4ubuntu5  GCC support library
ii  libstdc++6             4.4.3-4ubuntu5    The GNU Standard C++ Library v3

Versions of packages apt recommends:
ii  ubuntu-keyring                2010.11.09 GnuPG keys of the Ubuntu archive

Versions of packages apt suggests:
pn  apt-doc              <none>              (no description available)
ii  aptitude             0.4.11.11-1ubuntu10 terminal-based package manager
ii  bzip2                1.0.5-4ubuntu0.1    high-quality block-sorting file co
ii  dpkg-dev             1.15.5.6ubuntu4.5   Debian package development tools
ii  lzma                 4.43-14ubuntu2      Compression method of 7z format in
ii  python-apt           0.7.94.2ubuntu6.4   Python interface to libapt-pkg
ii  synaptic             0.63.1ubuntu7       Graphical package manager

-- no debconf information

Reply to:

Prev by Date: Processed: Close
Next by Date: Account Support !!!
Previous by thread: Processed: Close
Next by thread: Account Support !!!
Index(es):
- Date
- Thread