Package: tclcurl Version: 7.22.0-1 Severity: important Dear Maintainer,
This is similar to (unfixed) bug 680662 (from 3 yrs ago), but much more severe. When the "-file" option is used for a GET, the file will be zero in size with all data lost if the -bodyvar option is used in a later transaction. This is very astonishing, baffling, and frustrating to users who have little hope of knowing what's wrong. After much time analyzing strace output, it became clear what happens. The file is opened for writing, and the data is in fact sent, but the file is not closed. Then use of -bodyvar causes the filename previously used for the -file option to be opened again! And it's not opened in append mode either. To worsen diagnosis, nothing is written to the file, so the user cannot see that the past filename was reused in the following operation. This bug has a high chance of occurrance, because any session that involves a logout at the end is likely to use -bodyvar and not -file, because it's not interesting to save the "goodbye" page in a file, but perhaps useful to render the variable to show the user. This is the demonstration script, which includes commented-out workarounds: ====8<---------------------------------------- #!/usr/bin/tclsh8.6 package require TclCurl set curlHandle [::curl::init] $curlHandle configure -url http://bugs.debian.org\ -file /tmp/directly_written_file.html $curlHandle perform puts "strace shows that the file was opened and written to (but never closed)" # There are two undocumented workarounds at this point. # # (1) This workaround is the most intuitive, but it does not always # work! It's also quite inconvenient because pre-existing config # options must be reconfigured afterwards: # # $curlHandle reset # # (2) This workaround seems to always work, but very non-intuitive. # Most users have no hope of figuring this out. They will just # wonder why their file is not being written. # # $curl_handle configure -file /dev/null $curlHandle configure -url http://www.fsf.org\ -bodyvar payload_fsf $curlHandle perform puts "this 2nd /perform/ is where the damage is done." puts "strace shows the same file is opened again even though bodyvar is used instead of -file." puts "the reopening of the same filename causes it to get clobbered before it is written and closed." $curlHandle cleanup puts "file holds: [exec cat /tmp/directly_written_file.html]" ====8<---------------------------------------- -- System Information: Debian Release: 8.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages tclcurl depends on: ii libc6 2.19-18+deb8u1 ii libcurl3-gnutls 7.38.0-4+deb8u2 ii tcl [tclsh] 8.6.0+8 tclcurl recommends no packages. Versions of packages tclcurl suggests: pn libcurl4-gnutls-dev <none> -- no debconf information