[tor-bugs] #22865 [Obfuscation/meek]: Explicitly set Content-Length to zero when there is no data to send

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Jul 15 20:36:27 UTC 2017


#22865: Explicitly set Content-Length to zero when there is no data to send
------------------------------+------------------------------
 Reporter:  twim              |          Owner:  dcf
     Type:  defect            |         Status:  needs_review
 Priority:  Medium            |      Milestone:
Component:  Obfuscation/meek  |        Version:
 Severity:  Normal            |     Resolution:
 Keywords:                    |  Actual Points:
Parent ID:                    |         Points:
 Reviewer:                    |        Sponsor:
------------------------------+------------------------------

Comment (by dcf):

 I've just done a test here locally, and meek-client compiled with `go1.8.3
 linux/amd64` sends `Content-Length: 0` even without the patch from this
 ticket. I inspected the traffic by running a socat shim on port 4000:
 {{{
 socat -v -v TCP-LISTEN:4000,fork,reuseaddr OPENSSL:xxx.appspot.com:443
 }}}
 Then I configured tor to connect through 127.0.0.1:4000
 {{{
 UseBridges 1
 ClientTransportPlugin meek exec ./meek-client --log meek-client.log
 Bridge meek 0.0.2.0:3 url=http://xxx.appspot.com/ front=127.0.0.1:4000
 }}}
 The socat output contains examples like this:
 {{{
 POST / HTTP/1.1\r
 Host: meek-reflect-test.appspot.com\r
 User-Agent: Go-http-client/1.1\r
 Content-Length: 0\r
 X-Session-Id: Mv2/KXfE3mE\r
 Accept-Encoding: gzip\r
 \r
 }}}
 Are you able to reproduce this? I don't see how the patch would cause it
 to behave any differently. And the documentation for
 [https://golang.org/pkg/net/http/#NewRequest http.NewRequest] says that a
 *bytes.Reader has special handling and sets the body to the magic value
 [https://golang.org/pkg/net/http/#pkg-variables NoBody] when the length of
 the Reader is 0:
 > If body is of type *bytes.Buffer, *bytes.Reader, or *strings.Reader, the
 returned request's ContentLength is set to its exact value (instead of
 -1), GetBody is populated (so 307 and 308 redirects can replay the body),
 and Body is set to NoBody if the ContentLength is 0.
 So I'm wondering if this patch is really needed? If so, can you give me
 complete reproduction instructions so that I can see the bug for myself?

 ----

 Replying to [comment:6 twim]:
 > Seems to be not a bug. This is now persistent behavior at Google
 AppEngine Flexible Environment. Most likely it was being upgraded at that
 moment. Standard Environment works as before (without inspection
 middleware).

 I'm confused now by your references to the flexible environment. I tried
 deploying reflect.go to the flexible environment by adding `env: flex` to
 app.yaml:
 {{{
 env: flex
 runtime: go
 api_version: go1
 automatic_scaling:
   max_idle_instances: 2
   min_pending_latency: 1000ms

 handlers:
 - url: /.*
   script: _go_app
   secure: always
 }}}
 However that caused `gcloud app deploy` to display an error message:
 {{{
 2017/07/15 13:04:04 failed analyzing meek/appengine: the root of your app
 needs to be package "main" (currently "reflect")
 }}}
 If I change the package name from `"reflect"` to `"main"`, I get another
 error:
 {{{
 2017/07/15 13:05:45 failed analyzing meek/appengine: cannot find package
 "appengine" in any of:
         ...
 }}}
 So it seems that reflect.go needs more extensive changes than just
 attachment:0001-Explicitly-set-Content-Length-to-zero-when-there-
 is-.patch​ in order to run in the flexible environment. Are you running
 something other than reflect.go on App Engine?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22865#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list