NetBSD Problem Report #58881

From www@netbsd.org  Sat Dec  7 16:15:56 2024
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits)
	 client-signature RSA-PSS (2048 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 63E6E1A923D
	for <gnats-bugs@gnats.NetBSD.org>; Sat,  7 Dec 2024 16:15:56 +0000 (UTC)
Message-Id: <20241207161554.C34C81A9246@mollari.NetBSD.org>
Date: Sat,  7 Dec 2024 16:15:54 +0000 (UTC)
From: campbell+netbsd@mumble.net
Reply-To: campbell+netbsd@mumble.net
To: gnats-bugs@NetBSD.org
Subject: .bzabsredirect doesn't support scheme-relative redirects
X-Send-Pr-Version: www-1.0

>Number:         58881
>Category:       bin
>Synopsis:       .bzabsredirect doesn't support scheme-relative redirects
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    mrg
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Dec 07 16:20:00 +0000 2024
>Last-Modified:  Sat Dec 07 16:27:35 +0000 2024
>Originator:     Taylor R Campbell
>Release:        current, 10, 9, ...
>Organization:
The NetBozoD 302 Foundation
>Environment:
>Description:
If you put an absolute URL like https://example.com/foo in .bzabsredirect, it redirects to that URL exactly.

$ curl http://...
HTTP/1.1 301 Document Moved
Server: bozohttpd/20220517
Content-Type: text/html
Location: https://example.com/foo
...

If you put a scheme-relative URL like example.com/foo in .bzabsredirect, and you query it over HTTP you get an http:// URL, while if you query it over HTTPS -- provided the HTTPS is terminated by bozohttpd itself -- you get an https:// URL:

$ curl http://...
HTTP/1.1 301 Document Moved
Server: bozohttpd/20220517
Content-Type: text/html
Location: http://example.com/foo
...
$ curl https://...
HTTP/1.1 301 Document Moved
Server: bozohttpd/20220517
Content-Type: text/html
Location: https://example.com/foo
...

But there seems to be no way for bozohttpd to return a relative URL (endorsed by RFC 7231, Sec. 7.1.2 `Location') like:

$ curl http://...
HTTP/1.1 301 Document Moved
Server: bozohttpd/20220517
Content-Type: text/html
Location: //example.com/foo
...

This would be nice to have to allow a site to work over HTTP or HTTPS behind a CDN -- e.g., right now, http://cdn.NetBSD.org/pub/NetBSD-daily unconditionally redirects to https://nycdn.NetBSD.org/pub/NetBSD-daily but it would be nice if it redirected to //nycdn.NetBSD.org/pub/NetBSD-daily so the browser can stay in the same scheme.

It may also be more important for a setup where bozohttpd doesn't terminate TLS itself and instead serves to a front end load balancer.
>How-To-Repeat:

>Fix:
Possibilities:

1. Change the existing semantics of .bzabsredirect -> <host>/<path> so that bozohttpd returns a scheme-relative URL: `Location: //<host>/<path>'.

2. Instead of changing the semantics for that form, do instead for .bzabsredirect -> //<host>/</path>, so users can opt into it.

   In principle this could have been meant to be an absolute local path on the file system, with a redundant / at the root, but even POSIX endorses treating pathnames that begin with `//' specially:

     `Multiple successive <slash> characters are considered to be the same as one <slash>, except for the case of exactly two leading <slash> characters.'  https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_271)

     `If a pathname begins with two successive <slash> characters, the first component following the leading <slash> characters may be interpreted in an implementation-defined manner, although more than two leading <slash> characters shall be treated as a single <slash> character.'  https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap04.html#tag_04_13

>Release-Note:

>Audit-Trail:

Responsible-Changed-From-To: bin-bug-people->mrg
Responsible-Changed-By: riastradh@NetBSD.org
Responsible-Changed-When: Sat, 07 Dec 2024 16:27:35 +0000
Responsible-Changed-Why:
please accept this gift of additional work for when your vacation ends


>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2024 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.