headers: accept leading whitespaces on first response header

This is a bad header fold but since the popular browsers accept this violation, so does curl now. Unless built with hyper. Add test 1473 to verify and adjust test 2306. Reported-by: junsik on github Fixes #11605 Closes #11607
2024-11-21 01:16:58 +08:00 · 2023-08-07 12:45:45 +02:00 · 2023-08-07 12:45:45 +02:00 · 95ca3c53d3
commit 95ca3c53d3
parent cfe85ca562
6 changed files with 97 additions and 33 deletions
--- a/docs/HYPER.md
+++ b/docs/HYPER.md
@ -57,6 +57,7 @@ The hyper backend does not support
 - `--raw` and disabling `CURLOPT_HTTP_TRANSFER_DECODING`
 - RTSP
 - hyper is much stricter about what HTTP header contents it allows
+- leading whitespace in first HTTP/1 response header
 - HTTP/0.9
 - HTTP/2 upgrade using HTTP:// URLs. Aka 'h2c'

--- a/lib/headers.c
+++ b/lib/headers.c
@ -300,9 +300,16 @@ CURLcode Curl_headers_push(struct Curl_easy *data, const char *header,
    if(data->state.prevhead)
      /* line folding, append value to the previous header's value */
      return unfold_value(data, header, hlen);
-    else
-      /* can't unfold without a previous header */
-      return CURLE_BAD_FUNCTION_ARGUMENT;
+    else {
+      /* Can't unfold without a previous header. Instead of erroring, just
+         pass the leading blanks. */
+      while(hlen && ISBLANK(*header)) {
+        header++;
+        hlen--;
+      }
+      if(!hlen)
+        return CURLE_WEIRD_SERVER_REPLY;
+    }
  }

  hs = calloc(1, sizeof(*hs) + hlen);
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@ -161,33 +161,32 @@ test1247 test1248 test1249 test1250 test1251 test1252 test1253 test1254 \
 test1255 test1256 test1257 test1258 test1259 test1260 test1261 test1262 \
 test1263 test1264 test1265 test1266 test1267 test1268 test1269 test1270 \
 test1271 test1272 test1273 test1274 test1275 test1276 test1277 test1278 \
-test1279 \
+test1279 test1280 test1281 test1282 test1283 test1284 test1285 test1286 \
+test1287 test1288 test1289 test1290 test1291 test1292 test1293 test1294 \
+test1295 test1296 test1297 test1298 test1299 test1300 test1301 test1302 \
+test1303 test1304 test1305 test1306 test1307 test1308 test1309 test1310 \
+test1311 test1312 test1313 test1314 test1315 test1316 test1317 test1318 \
+test1319 test1320 test1321 test1322 test1323 test1324 test1325 test1326 \
+test1327 test1328 test1329 test1330 test1331 test1332 test1333 test1334 \
+test1335 test1336 test1337 test1338 test1339 test1340 test1341 test1342 \
+test1343 test1344 test1345 test1346 test1347 test1348 test1349 test1350 \
+test1351 test1352 test1353 test1354 test1355 test1356 test1357 test1358 \
+test1359 test1360 test1361 test1362 test1363 test1364 test1365 test1366 \
+test1367 test1368 test1369 test1370 test1371 test1372 test1373 test1374 \
+test1375 test1376 test1377 test1378 test1379 test1380 test1381 test1382 \
+test1383 test1384 test1385 test1386 test1387 test1388 test1389 test1390 \
+test1391 test1392 test1393 test1394 test1395 test1396 test1397 test1398 \
+test1399 test1400 test1401 test1402 test1403 test1404 test1405 test1406 \
+test1407 test1408 test1409 test1410 test1411 test1412 test1413 test1414 \
+test1415 test1416 test1417 test1418 test1419 test1420 test1421 test1422 \
+test1423 test1424 test1425 test1426 test1427 test1428 test1429 test1430 \
+test1431 test1432 test1433 test1434 test1435 test1436 test1437 test1438 \
+test1439 test1440 test1441 test1442 test1443 test1444 test1445 test1446 \
+test1447 test1448 test1449 test1450 test1451 test1452 test1453 test1454 \
+test1455 test1456 test1457 test1458 test1459 test1460 test1461 test1462 \
+test1463 test1464 test1465 test1466 test1467 test1468 test1469 test1470 \
+test1471 test1472 test1473 \
 \
-test1280 test1281 test1282 test1283 test1284 test1285 test1286 test1287 \
-test1288 test1289 test1290 test1291 test1292 test1293 test1294 test1295 \
-test1296 test1297 test1298 test1299 test1300 test1301 test1302 test1303 \
-test1304 test1305 test1306 test1307 test1308 test1309 test1310 test1311 \
-test1312 test1313 test1314 test1315 test1316 test1317 test1318 test1319 \
-test1320 test1321 test1322 test1323 test1324 test1325 test1326 test1327 \
-test1328 test1329 test1330 test1331 test1332 test1333 test1334 test1335 \
-test1336 test1337 test1338 test1339 test1340 test1341 test1342 test1343 \
-test1344 test1345 test1346 test1347 test1348 test1349 test1350 test1351 \
-test1352 test1353 test1354 test1355 test1356 test1357 test1358 test1359 \
-test1360 test1361 test1362 test1363 test1364 test1365 test1366 test1367 \
-test1368 test1369 test1370 test1371 test1372 test1373 test1374 test1375 \
-test1376 test1377 test1378 test1379 test1380 test1381 test1382 test1383 \
-test1384 test1385 test1386 test1387 test1388 test1389 test1390 test1391 \
-test1392 test1393 test1394 test1395 test1396 test1397 test1398 test1399 \
-test1400 test1401 test1402 test1403 test1404 test1405 test1406 test1407 \
-test1408 test1409 test1410 test1411 test1412 test1413 test1414 test1415 \
-test1416 test1417 test1418 test1419 test1420 test1421 test1422 test1423 \
-test1424 test1425 test1426 test1427 test1428 test1429 test1430 test1431 \
-test1432 test1433 test1434 test1435 test1436 test1437 test1438 test1439 \
-test1440 test1441 test1442 test1443 test1444 test1445 test1446 test1447 \
-test1448 test1449 test1450 test1451 test1452 test1453 test1454 test1455 \
-test1456 test1457 test1458 test1459 test1460 test1461 test1462 test1463 \
-test1464 test1465 test1466 test1467 test1468 test1469 test1470 test1471 \
-test1472 \
 test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 \
 test1508 test1509 test1510 test1511 test1512 test1513 test1514 test1515 \
 test1516 test1517 test1518 test1519 test1520 test1521 test1522 test1523 \
--- a/tests/data/test1473
+++ b/tests/data/test1473
@ -0,0 +1,56 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP GET
+header line folding
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<data nocheck="yes">
+HTTP/1.1 200 OK
+ Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/
+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
+ETag: "21025-dc7-39462498"
+Content-Length: 6
+
+-foo-
+</data>
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+http
+</server>
+ <name>
+first HTTP header starts with white space
+ </name>
+ <command>
+http://%HOSTIP:%HTTPPORT/%TESTNUMBER
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<protocol>
+GET /%TESTNUMBER HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+User-Agent: curl/%VERSION
+Accept: */*
+
+</protocol>
+%if hyper
+# curl: (1) Hyper: [6] invalid HTTP header parsed
+<errorcode>
+1
+</errorcode>
+%endif
+</verify>
+</testcase>
--- a/tests/data/test2306
+++ b/tests/data/test2306
@ -24,10 +24,10 @@ Funny-head: yesyes
 -foo-
 </data>
 <data2 nocheck="yes">
-HTTP/1.1 200 OK
+HTTP/1.1 200 OK swsclose
 	Access-Control-Allow-Origin: *
-	Connection: Keep-Alive
-	Content-Type: text/html; charset=utf-8
+Connection: Keep-Alive
+Content-Type: text/html; charset=utf-8
 Date: Wed, 10 May 2023 14:58:08 GMT

 -foo-
@ -45,7 +45,7 @@ lib%TESTNUMBER
 </tool>

 <name>
-HTTP GET re-used handle but only folded headers
+HTTP GET re-used handle with first header folded
 </name>
 <command>
 http://%HOSTIP:%HTTPPORT/%TESTNUMBER http://%HOSTIP:%HTTPPORT/%TESTNUMBER0002
--- a/tests/libtest/lib2306.c
+++ b/tests/libtest/lib2306.c
@ -43,6 +43,7 @@ int test(char *URL)

  /* re-use handle, do a second transfer */
  curl_easy_setopt(cl, CURLOPT_URL, URL2);
+  curl_easy_setopt(cl, CURLOPT_VERBOSE, 1L);
  curl_easy_perform(cl);
  curl_easy_cleanup(cl);
  curl_global_cleanup();