>Synopsis: httpd returns full body for HEAD requests to CGI scripts >Category: system >Environment: System : OpenBSD 6.9 Details : OpenBSD 6.9 (GENERIC.MP) #4: Tue Aug 10 08:12:23 MDT 2021 r...@syspatch-69-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
Architecture: OpenBSD.amd64 Machine : amd64 >Description: RFC 7231 (HTTP/1.1) section 4.3.2. "HEAD" states: The HEAD method is identical to GET except that the server MUST NOT send a message body in the response (i.e., the response terminates at the end of the header section). However, with httpd we see (for example): $ printf "HEAD /cgi-bin/ftplist.cgi?dbversion=1 HTTP/1.0\r\nHost:ftp.openbsd.org\r\n\r\n" \ | nc -c ftp.openbsd.org https HTTP/1.0 200 OK Connection: close Content-type: text/plain Date: Fri, 01 Oct 2021 12:50:59 GMT Server: OpenBSD httpd https://mirror.aarnet.edu.au/pub/OpenBSD Canberra, Australia https://cdn.openbsd.org/pub/OpenBSD Fastly (CDN) https://cloudflare.cdn.openbsd.org/pub/OpenBSD Cloudflare (CDN) ... RND_BYTES=0xfe9832a3... >How-To-Repeat: Perform a HEAD request for a CGI script (as above, or Undeadly, etc). >Fix: Unknown. Presumably, httpd needs modification.