Bug#646381: apt: Apt sends malformed HTTPS requests when including Range/If-Range headers
Package: apt
Version: 0.7.25.3ubuntu9.8
Severity: normal
HttpsMethod::Fetch will send an erroneous extra "\r\n" pair when
sending a request with the Range / If-Range headers. Depending on the
server, these extra characters can/will be interpreted as the start of
a new HTTP request on the same connection, but with a blank request
line (which normally looks like: "GET /blah"), which I observe as
resulting in an unexpected 400 response being sent back to apt.
At issue appears to be the following section of code (from line ~243
in methods/https.cc), from trunk at time of writing:
// if we have the file send an if-range query with a range header
if (stat(Itm->DestFile.c_str(),&SBuf) >= 0 && SBuf.st_size > 0)
{
char Buf[1000];
sprintf(Buf,"Range: bytes=%li-\r\nIf-Range: %s\r\n",
(long)SBuf.st_size - 1,
TimeRFC1123(SBuf.st_mtime).c_str());
headers = curl_slist_append(headers, Buf);
}
The buffer passed to the curl_slist_append function should not have a
trailing "\r\n" pair, as libcurl will apparently do that for you.
I suspect that the "correct" solution is to actually call
curl_slist_append twice, once for each header, and not manually
concatenate the lines. I'm not so clued up on either C++ or libcurl,
though. :)
- Mel
-- Package-specific info:
-- (no /etc/apt/preferences present) --
-- (/etc/apt/sources.list present, but not submitted) --
-- System Information:
Debian Release: squeeze/sid
APT prefers lucid-updates
APT policy: (500, 'lucid-updates'), (500, 'lucid-security'), (500, 'lucid')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-34-generic-pae (SMP w/2 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages apt depends on:
ii libc6 2.11.1-0ubuntu7.8 Embedded GNU C Library: Shared lib
ii libgcc1 1:4.4.3-4ubuntu5 GCC support library
ii libstdc++6 4.4.3-4ubuntu5 The GNU Standard C++ Library v3
Versions of packages apt recommends:
ii ubuntu-keyring 2010.11.09 GnuPG keys of the Ubuntu archive
Versions of packages apt suggests:
pn apt-doc <none> (no description available)
ii aptitude 0.4.11.11-1ubuntu10 terminal-based package manager
ii bzip2 1.0.5-4ubuntu0.1 high-quality block-sorting file co
ii dpkg-dev 1.15.5.6ubuntu4.5 Debian package development tools
ii lzma 4.43-14ubuntu2 Compression method of 7z format in
ii python-apt 0.7.94.2ubuntu6.4 Python interface to libapt-pkg
ii synaptic 0.63.1ubuntu7 Graphical package manager
-- no debconf information
Reply to: