On Sat, Oct 02, 2021 at 09:02:39PM +0200, Sebastian Benoit wrote:
>[...]
>
> Indeed, this should be handled better by httpd(8), i think.
>
Some more relevant information...
RFC 3875 [The Common Gateway Interface (CGI) Version 1.1] in
section 4.3.2 HEAD states:
The HEAD method requests the script to do sufficient processing to
return the response header fields, without providing a response
message-body. The script MUST NOT provide a response message-body
for a HEAD request. If it does, then the server MUST discard the
message-body when reading the response from the script.
So scripts *are* violating the CGI specification, but so is the server.
If it is decided to that it is the scripts which are at fault, then at
least the following (in addition to ftplist.cgi) require attention:
cvsweb.openbsd.org
man.openbsd.org
