Skip Menu |
 

This queue is for tickets about the libwww-perl CPAN distribution.

Report information
The Basics
Id: 85759
Status: resolved
Priority: 0/
Queue: libwww-perl

People
Owner: Nobody in particular
Requestors: victor [...] vsespb.ru
Cc:
AdminCc:

Bug Information
Severity: Important
Broken in: 6.05
Fixed in: (no value)



Subject: Response content-length not validated.
Download (untitled) / with headers
text/plain 711b
If server closes connection, after sending headers, LWP does not validate Content-Length Some PoC code here http://www.perlmonks.org/?node_id=1035977 Example of response that 'GET' tool returns: GET -S -e http://localhost:9903/ GET http://localhost:9903/ --> 200 OK Content-Length: 133 Client-Date: Thu, 30 May 2013 06:41:09 GMT Client-Peer: 127.0.0.1:9903 Client-Response-Num: 1 LNJKjadfkj Also experience same problem in real application (without GET tool) (with callbacks (content_file, content_cb), in SSL mode with Amazon AWS servers.) I am not sure if this a bug, or expected behaviour or just should be documented. But I think it could be handler with headers similar to X-Died or Client-Warning.
Download (untitled) / with headers
text/plain 903b
On 2013-05-31 06:02:06, vsespb wrote: Show quoted text
> If server closes connection, after sending headers, LWP does not > validate Content-Length > > Some PoC code here http://www.perlmonks.org/?node_id=1035977 > > Example of response that 'GET' tool returns: > > GET -S -e http://localhost:9903/ > GET http://localhost:9903/ --> 200 OK > Content-Length: 133 > Client-Date: Thu, 30 May 2013 06:41:09 GMT > Client-Peer: 127.0.0.1:9903 > Client-Response-Num: 1 > > LNJKjadfkj > > Also experience same problem in real application (without GET tool) > (with callbacks (content_file, content_cb), in SSL mode with Amazon > AWS servers.) > > I am not sure if this a bug, or expected behaviour or just should be > documented. > But I think it could be handler with headers similar to X-Died or > Client-Warning.
I agree that this is a bug, and should return an HTTP::Response result which says false to is_success().


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.