>Synopsis: httpd returns full body for HEAD requests to CGI scripts
>Category: system
>Environment:
System : OpenBSD 6.9
Details : OpenBSD 6.9 (GENERIC.MP) #4: Tue Aug 10 08:12:23 MDT 2021
r...@syspatch-69-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
Architecture: OpenBSD.amd64
Machine : amd64
>Description:
RFC 7231 (HTTP/1.1) section 4.3.2. "HEAD" states:
The HEAD method is identical to GET except that the server MUST NOT
send a message body in the response (i.e., the response terminates at
the end of the header section).
However, with httpd we see (for example):
$ printf "HEAD /cgi-bin/ftplist.cgi?dbversion=1
HTTP/1.0\r\nHost:ftp.openbsd.org\r\n\r\n" \
| nc -c ftp.openbsd.org https
HTTP/1.0 200 OK
Connection: close
Content-type: text/plain
Date: Fri, 01 Oct 2021 12:50:59 GMT
Server: OpenBSD httpd
https://mirror.aarnet.edu.au/pub/OpenBSD Canberra,
Australia
https://cdn.openbsd.org/pub/OpenBSD Fastly
(CDN)
https://cloudflare.cdn.openbsd.org/pub/OpenBSD Cloudflare
(CDN)
...
RND_BYTES=0xfe9832a3...
>How-To-Repeat:
Perform a HEAD request for a CGI script (as above, or Undeadly, etc).
>Fix:
Unknown. Presumably, httpd needs modification.
