It's not safe to assume that "Local Redirect Response" is the only valid use of the Location header.
-- Raul On Sat, Mar 11, 2017 at 5:22 AM, <[email protected]> wrote: >>Synopsis: httpd/slowcgi not RFC compliant w.r.t. Local Redirect Response >>Category: user >>Environment: > System : OpenBSD 6.0 (also under late Feb -current snapshot) > Details : OpenBSD 6.0-stable (GENERIC.MP) #15: Fri Mar 10 > 11:43:46 AEDT 2017 > > [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP > > Architecture: OpenBSD.amd64 > Machine : amd64 >>Description: > > RFC 3875 The Common Gateway Interface (CGI) Version 1.1 > states: > ==== > 6.2.2. Local Redirect Response > > The CGI script can return a URI path and query-string > ('local-pathquery') for a local resource in a Location header field. > This indicates to the server that it should reprocess the request > using the path specified. > > local-redir-response = local-Location NL > > The script MUST NOT return any other header fields or a message-body, > and the server MUST generate the response that it would have produced > in response to a request containing the URL > > scheme "://" server-name ":" server-port local-pathquery > ==== > > httpd/slowcgi fails to comply with this and just returns the Location header > to the client. > >>How-To-Repeat: > > # set up a target file > echo "OK" > /var/www/htdocs/nbg.txt > > # create a simple CGI test program > cat > t.c <<EOC > #include <stdlib.h> > #include <stdio.h> > > int > main(__unused int argc, __unused char *argv[]) > { > fprintf(stdout, "Location: /nbg.txt\n\n"); > return 0; > } > EOC > > # build the CGI program and install as /var/www/cgi-bin/t > ... > > # try retrieving > : user@host; printf "GET /cgi-bin/t HTTP/1.0\r\nHost: > www.example.org\r\n\r\n" \ > :; | nc www.example.org 80 > HTTP/1.0 200 OK > Connection: close > Date: Sat, 11 Mar 2017 07:01:23 GMT > Location: /nbg.txt > Server: OpenBSD httpd > > # "Location: /nbg.txt" is WRONG > > # in contrast, trying the equivalent under Apache http (on a Linux host) > gives: > : user@host; printf "GET /cgi-bin/t HTTP/1.0\r\nHost: > www.example.org\r\n\r\n" \ > :; | nc www.example.org 80 > HTTP/1.1 200 OK > Date: Sat, 11 Mar 2017 07:08:23 GMT > Server: Apache > Last-Modified: Sat, 11 Mar 2017 06:36:13 GMT > ETag: "4e36ef-4-54a6eb1c95622" > Accept-Ranges: bytes > Content-Length: 3 > Connection: close > Content-Type: text/plain > > OK > > # We see the file content, which is the correct behaviour. > >>Fix: > Not know; presumably patch(es) to httpd will be required. > > > dmesg: > OpenBSD 6.0-stable (GENERIC.MP) #15: Fri Mar 10 11:43:46 AEDT 2017 > [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP > real mem = 17041805312 (16252MB) > avail mem = 16520851456 (15755MB) > mpath0 at root > scsibus0 at mpath0: 256 targets > mainbus0 at root > <deleted as presumed to be irrelevant> >
