[tor-bugs] #22865 [Obfuscation/meek]: Explicitly set Content-Length to zero when there is no data to send
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Jul 16 18:54:18 UTC 2017
#22865: Explicitly set Content-Length to zero when there is no data to send
------------------------------+------------------------------
Reporter: twim | Owner: dcf
Type: defect | Status: needs_review
Priority: Medium | Milestone:
Component: Obfuscation/meek | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
------------------------------+------------------------------
Comment (by twim):
Replying to [comment:9 dcf]:
> I've just done a test here locally, and meek-client compiled with
`go1.8.3 linux/amd64` sends `Content-Length: 0` even without the patch
from this ticket. I inspected the traffic by running a socat shim on port
4000:
> ...
> Are you able to reproduce this? I don't see how the patch would cause it
to behave any differently.
Yes I am. It turns out that `Content-Length` is being set to 0 when
HTTP/1.1 is used, and omitted in case of HTTP/2.
> And the documentation for [https://golang.org/pkg/net/http/#NewRequest
http.NewRequest] says that a *bytes.Reader has special handling and sets
the body to the magic value [https://golang.org/pkg/net/http/#pkg-
variables NoBody] when the length of the Reader is 0:
No, it says that body is set to NoBody if `request.ContentLength == 0`.
> So I'm wondering if this patch is really needed? If so, can you give me
complete reproduction instructions so that I can see the bug for myself?
Yes, see https://github.com/golang/go/issues/20257 for details. And this
is a blocker on GAE Flex (maybe others).
I wrote a PoC for this (see attachments). With HTTP/2 it makes a request
like this:
`POST / HTTP/2.0\r\nHost: meek.appspot.com\r\nAccept-Encoding: gzip\r
\nUser-Agent: Go-http-client/2.0\r\n\r\n`
So this gets proxied via HTTP/1.1 to the application. If there is a
middleware in between it returns `411 Length Required`.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22865#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list