Copy as cURL returns invalid headers
Categories
(DevTools :: Netmonitor, defect, P3)
Tracking
(firefox95 fixed)
Tracking | Status | |
---|---|---|
firefox95 | --- | fixed |
People
(Reporter: srpen6, Assigned: ezikeonyinyefavour)
References
(Blocks 1 open bug)
Details
(Keywords: good-first-bug, Whiteboard: dt-outreachy-2021)
Attachments
(2 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
Steps to reproduce:
Copy as cURL returns invalid headers
- New Private Window
- Tools, Web Developer, Network
- browse to http://rarbg.to/threat_defence.php
- right click final HTML request, Copy, Copy as cURL (POSIX)
Result is something like this:
curl
'http://rarbg.to/threat_defence.php?defence=2&sk=f3xl5b8c6u&cid=45916380&i=2536743499&ref_cookie=rarbg.to&r=32767847'
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0)
Gecko/20100101 Firefox/84.0' -H 'Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8' -H
'Accept-Language: en-US,en;q=0.5' --compressed -H 'Referer:
http://rarbg.to/threat_defence.php' -H 'Connection: keep-alive' -H 'Cookie:
sk=f3xl5b8c6u' -H 'Upgrade-Insecure-Requests: 1'
Notice that "--compressed" is in the command. This is not valid. If you view the
actual Request Headers, you will see this:
Accept-Encoding: gzip, deflate
This server is using this difference to its advantage, as a way to determine if
request is coming from a browser. If you naively use the cURL command as is, you
get a redirect:
HTTP/1.1 302 Found
Location: /threat_defence.php?defence=nojc
If you change to proper header, you get expected response:
HTTP/1.1 200 OK
Updated•3 years ago
|
Comment 1•3 years ago
|
||
Hi Honza,
Can you reproduce this on Windows?
Thanks
Comment 2•3 years ago
|
||
Thank you for the report Steven.
I tried the STRs from comment #0 on my machine and I can see the --compressed
Note that it's added when the request contains accept-encoding
header.
You might also checkout the source code here:
https://searchfox.org/mozilla-central/rev/67945e4b7316dfb6914986213ed5b8a7df700958/devtools/client/shared/curl.js#151
In my case the complete cURL is as follows:
curl 'http://rarbg.to/threat_defence.php?defence=nojc' -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Referer: http://rarbg.to/threat_defence.php' -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Cookie: sk=v3r7dqclz6' -H 'Upgrade-Insecure-Requests: 1' -H 'Cache-Control: max-age=0'
When executing it on the command line (I am also adding -i
argument) I am getting HTTP/1.1 200 OK
from the server (no redirect)
Some questions:
- Are you suggesting that we should change the logic and not add
--compressed
whenaccept-encoding
header is available? - I can't reproduce the redirect. Did the server change?
- Could you also test with the latest Firefox Nightly 91? https://www.mozilla.org/en-US/firefox/channel/desktop/
Honza
Reporter | ||
Comment 3•3 years ago
|
||
Sorry, I think I left out a step, as the URL you are working with is not correct, try this:
- New Private Window
- Tools, Web Developer, Network
- browse to http://rarbg.to/threat_defence.php
- after page loads, click the "Click here"
- right click final HTML request, Copy, Copy as cURL (POSIX)
resultant cURL command should be similar to what I put in the original post. I can still repro the original issue consistently.
Comment 4•3 years ago
|
||
Thanks for the update.
I tried STRs from comment #3 and I am getting the following:
(I am right clicking on the last HTML request after clicking the "Click here" link)
curl 'http://rarbg.to/threat_defence.php?defence=2&sk=fw0zmxedot&cid=46046102&i=2544389859&ref_cookie=rarbg.to&r=38672076' -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Referer: http://rarbg.to/threat_defence.php?defence=1' -H 'Cookie: sk=fw0zmxedot' -H 'Upgrade-Insecure-Requests: 1'
Since the request contains Accept-Encoding: gzip, deflate
header the --compressed
argument is automatically added, this is how the logic works (see also my comment #2). Are you suggesting that we shouldn't add it in some cases?
Honza
Reporter | ||
Comment 5•3 years ago
|
||
You should only add "--compressed", if it can replace the original "Accept-Encoding" header, without changing the resultant request at all. That is not what is happening here. By your own admission (and my testing), the original request uses:
Accept-Encoding: gzip, deflate
While using "--compressed" uses something else:
PS C:\> curl -I -v --compressed example.com
> Accept-Encoding: deflate, gzip, br
The server in question recognizes this difference, and proceeds to reject the request.
Updated•3 years ago
|
Comment 6•3 years ago
|
||
(In reply to Steven Penny from comment #5)
You should only add "--compressed", if it can replace the original "Accept-Encoding" header, without changing the resultant request at all. That is not what is happening here. By your own admission (and my testing), the original request uses:
Accept-Encoding: gzip, deflate
While using "--compressed" uses something else:
PS C:\> curl -I -v --compressed example.com > Accept-Encoding: deflate, gzip, br
The server in question recognizes this difference, and proceeds to reject the request.
Thank for the update.
So, we should check out what cURL is generating for the Accept-Encoding
header (the value) before producing the final cURL command.
Honza
Reporter | ||
Comment 7•3 years ago
|
||
Honestly it would be better to just never use "--compressed" at all. Its currently just a synonym for:
Accept-Encoding: deflate, gzip, br
but that could change if cURL adopts other decompression methods. Since Firefox knows the exact request headers, just use those directly. Yes, the resultant commands will be slightly longer, but the logic should be simpler, and the resulting cURL commands will be accurate.
Comment 8•3 years ago
|
||
I see, thanks for the note. I agree, this sounds like the way to go.
Some instructions for anyone interested in fixing this issue:
-
The place where the
--compressed
header is added is here:
https://searchfox.org/mozilla-central/rev/67945e4b7316dfb6914986213ed5b8a7df700958/devtools/client/shared/curl.js#151 -
You can execute that function through the request list context menu
Copy -> Copy, Copy as cURL (POSIX)
-
The
--compressed
argument should not be added to the generated command. Instead, we should copy theAccept-Encoding
header. So, looks like removing theif (header.name.toLowerCase() === "accept-encoding") {
condition could be enough.
Honza
Comment 9•3 years ago
|
||
Can I work on this?
I understand it probably involves removing the if (header.name.toLowerCase() === "accept-encoding") {
statement in the curl.js file and testing it afterwards.
Comment 10•3 years ago
|
||
I do not mean to be rude or impatient but I already started working on this bug. Removing the if-statement above (comment #8) did indeed remove the --compressed
argument.
I now get the following cURL command when following the instructions from comment #3:
curl 'https://rarbg.to/threat_defence_ajax.php?sk=mp81t074yr&cid=46957464&i=2598546805&r=41557728&_=1625425618512' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate, br' -H 'Content-Type: text/plain' -H 'X-Requested-With: XMLHttpRequest' -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Referer: https://rarbg.to/threat_defence.php?defence=1' -H 'Cookie: sk=mp81t074yr' -H 'Sec-Fetch-Dest: empty' -H 'Sec-Fetch-Mode: cors' -H 'Sec-Fetch-Site: same-origin'
Does that completely fix the issue? And if so, who could be the reviewer or reviewer group for my commit? (hg log /home/user/Mozilla/mozilla-central/devtools/client/shared/curl.js
show 'Honza' as most common but I see a few others as well.)
Comment 11•3 years ago
|
||
@bugzilla.zyaep: thank you for helping with this one!
And yes, I can review the patch.
Please post your patch to Phabricator
You might want to see some instructions here:
https://moz-conduit.readthedocs.io/en/latest/phabricator-user.html
Honza
Updated•3 years ago
|
Comment 12•3 years ago
|
||
Comment 13•3 years ago
|
||
I tested the attached patch and it seems to be working well for me.
When following the STRs from comment #0 I am getting:
curl 'http://rarbg.to/threat_defence.php?defence=2&sk=le9cjm3hgt&cid=46983381&i=2600114623&ref_cookie=rarbg.to&r=80587410' -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Connection: keep-alive' -H 'Referer: http://rarbg.to/threat_defence.php' -H 'Cookie: sk=le9cjm3hgt' -H 'Upgrade-Insecure-Requests: 1' -H 'Pragma: no-cache' -H 'Cache-Control: no-cache'
Steven, can you please test the patch on your machine and double check it works before we land it?
I pushed to Mozilla Try server here:
https://treeherder.mozilla.org/jobs?repo=try&revision=1059a20e21554747314b2b7a55ba4ede97bce616&selectedTaskRun=PvNlxRMVS8GE3W9yQ_YlcQ.0
(go to the Artifacts
tab at the bottom of the page)
You can download Win Build (exe Firefox installer or bundle to unzip to a dir and run Firefox directly)
(let me know if you need different OS build)
Thank you,
Honza
Reporter | ||
Comment 14•3 years ago
|
||
I dont know what artifact to download, I see like 40 files to choose from
Comment 15•3 years ago
•
|
||
Two options:
target.zip
- unzip and run firefox.exetarget.installer.exe
- run and install Firefox.
I'd go with #1 since you can easily remove everything after testing.
You should run with a new profile: firefox.exe -P test-profile
Honza
Reporter | ||
Comment 16•3 years ago
|
||
OK yes, with the patch everything seems to work now. At first I was still having trouble, but that was my own fault for adding "-I" to do a HEAD request, which that server also doesnt support. I removed that (which gave me the original command from Firefox), and only added "-v" for troubleshooting, and I get a 200 OK.
Comment 18•3 years ago
|
||
This good-first-bug hasn't had any activity for 2 months, it is automatically unassigned.
For more information, please visit auto_nag documentation.
Assignee | ||
Comment 19•3 years ago
|
||
Updated•3 years ago
|
Assignee | ||
Comment 20•3 years ago
|
||
I've submitted a patch to this bug. Regarding the failing test, please kindly guide me on how I can fix the 2 test cases that are failing after the bug fix,
I tried removing the "--compressed" that is inside the "BASE_RESULT" array on devtools/client/netmonitor/test/browser_net_copy_as_curl.js,
but that didn't fix it.
Kindly guide me on how I can fix this test successfully so I can update the patch.
@Honza @bomsy
Thanks.
Comment 23•3 years ago
|
||
Pushed by hmanilla@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/88ca2c5e4030 [devtools] fix copy as cURL that returns invalid header. r=Honza,bomsy
Comment 24•3 years ago
|
||
bugherder |
Description
•