Broken date in case of h2c w/ `curl --http2` #272

xrat · 2023-11-22T16:12:18Z

I understand that the following is somewhat an edge case, and many admins are probably well advised to just remove h2c from Protocols, but since I saw that this is supposed to be fixed as mentioned in #144 I thought I better report that I am still seeing this. Note the date: Sun, 00 Jan 1900 00:00:00 GMT in

root@debiantesting:~# curl -v -I --http2 http://localhost/
*   Trying [::1]:80...
* Connected to localhost (::1) port 80
> HEAD / HTTP/1.1
> Host: localhost
> User-Agent: curl/8.4.0
> Accept: */*
> Connection: Upgrade, HTTP2-Settings
> Upgrade: h2c
> HTTP2-Settings: AAMAAABkAAQAoAAAAAIAAAAA
> 
< HTTP/1.1 101 Switching Protocols
HTTP/1.1 101 Switching Protocols
< Upgrade: h2c
Upgrade: h2c
< Connection: Upgrade
Connection: Upgrade
* Received 101, Switching to HTTP/2
* Copied HTTP/2 data in stream buffer to connection buffer after upgrade: len=184
* received GOAWAY, error=0, last_stream=1

< HTTP/2 200 
HTTP/2 200 
< last-modified: Wed, 22 Nov 2023 15:21:45 GMT
last-modified: Wed, 22 Nov 2023 15:21:45 GMT
< etag: W/"29cd-60abf46f2eba5"
etag: W/"29cd-60abf46f2eba5"
< accept-ranges: bytes
accept-ranges: bytes
< content-length: 10701
content-length: 10701
< vary: Accept-Encoding
vary: Accept-Encoding
< content-type: text/html
content-type: text/html
< date: Sun, 00 Jan 1900 00:00:00 GMT
date: Sun, 00 Jan 1900 00:00:00 GMT
< server: Apache/2.4.58 (Debian)
server: Apache/2.4.58 (Debian)

< 
* Closing connection

The corresponding access.log entries are:

::1 - -  "HEAD / HTTP/2.0" 200 132 "-" "curl/8.4.0"
::1 - - [22/Nov/2023:16:54:13 +0100] "HEAD / HTTP/1.1" 101 231 "-" "curl/8.4.0"

Note the missing date in the 1st access.log entry.

The above is from a fresh VM running Debian Testing with default Apache + a2enmod http2 + LogLevel http2:info. The latter says: mod_http2 (v2.0.22, feats=CHPRIO+SHA256+INVHD+DWINS, nghttp2 1.58.0)

My apologies that I currently do not have the resources to compile Apache +/- mod_h2.

My production servers running Debian Bullseye w/ mod_http2 (v2.0.11, feats=CHPRIO+SHA256+INVHD+DWINS, nghttp2 1.43.0) produce slightly different results. Note the date from 1970:

$ curl -v -I --http2 http://localhost
*   Trying 127.0.0.1:80...
* Connected to localhost (127.0.0.1) port 80 (#0)
> HEAD / HTTP/1.1
> Host: localhost
> User-Agent: curl/7.74.0
> Accept: */*
> Connection: Upgrade, HTTP2-Settings
> Upgrade: h2c
> HTTP2-Settings: AAMAAABkAAQCAAAAAAIAAAAA
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 101 Switching Protocols
HTTP/1.1 101 Switching Protocols
< Upgrade: h2c
Upgrade: h2c
< Connection: Upgrade
Connection: Upgrade
* Received 101
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0

* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200
HTTP/2 200
< last-modified: Mon, 16 Aug 2021 16:00:19 GMT
last-modified: Mon, 16 Aug 2021 16:00:19 GMT
< etag: W/"4e0-5c9af4c433bab"
etag: W/"4e0-5c9af4c433bab"
< accept-ranges: bytes
accept-ranges: bytes
< content-length: 1248
content-length: 1248
< vary: Accept-Encoding
vary: Accept-Encoding
< content-type: text/html
content-type: text/html
< date: Thu, 01 Jan 1970 00:00:00 GMT
date: Thu, 01 Jan 1970 00:00:00 GMT
< server: Apache/2.4
server: Apache/2.4

<
* Connection #0 to host localhost left intact

The text was updated successfully, but these errors were encountered:

icing · 2023-11-23T12:15:31Z

Thanks for the report. I can reproduce this in a test case.

xrat · 2023-11-23T12:42:04Z

Awesome, thank you! Sorry, I can't test it yet.

- Fixed `Date` header on requests upgraded from HTTP/1.1 (h2c). Fixes <icing/mod_h2#272>. - Fixed small memory leak in h2 header bucket free. Thanks to Michael Kaufmann for finding this and providing the fix. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1915281 13f79535-47bb-0310-9956-ffa450edef68

*) mod_http2: v2.0.26 with the following fixes: - Fixed `Date` header on requests upgraded from HTTP/1.1 (h2c). Fixes <icing/mod_h2#272>. - Fixed small memory leak in h2 header bucket free. Thanks to Michael Kaufmann for finding this and providing the fix. Submitted by: icing Reviewed by: icing, gbechis, jorton git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1916413 13f79535-47bb-0310-9956-ffa450edef68

Changes with Apache 2.4.59 *) SECURITY: CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames (cve.mitre.org) HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion. Credits: Bartek Nowotarski (https://nowotarski.info/) *) SECURITY: CVE-2024-24795: Apache HTTP Server: HTTP Response Splitting in multiple modules (cve.mitre.org) HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Users are recommended to upgrade to version 2.4.59, which fixes this issue. Credits: Keran Mu, Tsinghua University and Zhongguancun Laboratory. *) SECURITY: CVE-2023-38709: Apache HTTP Server: HTTP response splitting (cve.mitre.org) Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses. This issue affects Apache HTTP Server: through 2.4.58. Credits: Orange Tsai (@orange_8361) from DEVCORE *) mod_deflate: Fixes and better logging for handling various error and edge cases. [Eric Covener, Yann Ylavic, Joe Orton, Eric Norris <enorris etsy.com>] *) Add CGIScriptTimeout to mod_cgi. [Eric Covener] *) mod_xml2enc: Tolerate libxml2 2.12.0 and later. [ttachi <tachihara AT hotmail.com>] *) mod_slotmem_shm: Use ap_os_is_path_absolute() to make it portable. [Jean-Frederic Clere] *) mod_ssl: Use OpenSSL-standard functions to assemble CA name lists for SSLCACertificatePath/SSLCADNRequestPath. Names will now be consistently sorted. [Joe Orton] *) mod_xml2enc: Update check to accept any text/ media type or any XML media type per RFC 7303, avoiding corruption of Microsoft OOXML formats. [Joseph Heenan <joseph.heenan fintechlabs.io>, Joe Orton] *) mod_http2: v2.0.26 with the following fixes: - Fixed `Date` header on requests upgraded from HTTP/1.1 (h2c). Fixes <icing/mod_h2#272>. - Fixed small memory leak in h2 header bucket free. Thanks to Michael Kaufmann for finding this and providing the fix. *) htcacheclean: In -a/-A mode, list all files per subdirectory rather than only one. [Artem Egorenkov <aegorenkov.91 gmail.com>] *) mod_ssl: SSLProxyMachineCertificateFile/Path may reference files which include CA certificates; those CA certs are treated as if configured with SSLProxyMachineCertificateChainFile. [Joe Orton] *) htpasswd, htdbm, dbmmanage: Update help&docs to refer to "hashing", rather than "encrypting" passwords. [Michele Preziuso <mpreziuso kaosdynamics.com>] *) mod_ssl: Fix build with LibreSSL 2.0.7+. [Giovanni Bechis, Yann Ylavic] *) htpasswd: Add support for passwords using SHA-2. [Joe Orton, Yann Ylavic] *) core: Allow mod_env to override system environment vars. [Joe Orton] *) Allow mod_dav_fs to tolerate race conditions between PROPFIND and an operation which removes a directory/file between apr_dir_read() and apr_stat(). Current behaviour is to abort the connection which seems inferior to tolerating (and logging) the error. [Joe Orton] *) mod_ldap: HTML-escape data in the ldap-status handler. [Eric Covener, Chamal De Silva] *) mod_ssl: Disable the OpenSSL ENGINE API when OPENSSL_NO_ENGINE is set. Allow for "SSLCryptoDevice builtin" if the ENGINE API is not available, notably with OpenSSL >= 3. [Yann Ylavic, Joe Orton] *) mod_ssl: Improve compatibility with OpenSSL 3, fix build warnings about deprecated ENGINE_ API, honor OPENSSL_API_COMPAT setting while defaulting to compatibitily with version 1.1.1 (including ENGINEs / SSLCryptoDevice). [Yann Ylavic] *) mod_ssl: release memory to the OS when needed. [Giovanni Bechis] *) mod_proxy: Ignore (and warn about) enablereuse=on for ProxyPassMatch when some dollar substitution (backreference) happens in the hostname or port part of the URL. [Yann Ylavic] *) mod_proxy: Allow to set a TTL for how long DNS resolutions to backend systems are cached. [Yann Ylavic] *) mod_proxy: Add optional third argument for ProxyRemote, which configures Basic authentication credentials to pass to the remote proxy.

www/apache24: security fix Revisions pulled up: - www/apache24/Makefile 1.124 - www/apache24/distinfo 1.62 - www/apache24/patches/patch-configure 1.5 - www/apache24/patches/patch-modules_filters_mod__xml2enc.c deleted --- Module Name: pkgsrc Committed By: adam Date: Fri Apr 5 09:31:38 UTC 2024 Modified Files: pkgsrc/www/apache24: Makefile distinfo pkgsrc/www/apache24/patches: patch-configure Removed Files: pkgsrc/www/apache24/patches: patch-modules_filters_mod__xml2enc.c Log Message: apache24: updated to 2.4.59 Changes with Apache 2.4.59 *) SECURITY: CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames (cve.mitre.org) HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion. Credits: Bartek Nowotarski (https://nowotarski.info/) *) SECURITY: CVE-2024-24795: Apache HTTP Server: HTTP Response Splitting in multiple modules (cve.mitre.org) HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Users are recommended to upgrade to version 2.4.59, which fixes this issue. Credits: Keran Mu, Tsinghua University and Zhongguancun Laboratory. *) SECURITY: CVE-2023-38709: Apache HTTP Server: HTTP response splitting (cve.mitre.org) Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses. This issue affects Apache HTTP Server: through 2.4.58. Credits: Orange Tsai (@orange_8361) from DEVCORE *) mod_deflate: Fixes and better logging for handling various error and edge cases. [Eric Covener, Yann Ylavic, Joe Orton, Eric Norris <enorris etsy.com>] *) Add CGIScriptTimeout to mod_cgi. [Eric Covener] *) mod_xml2enc: Tolerate libxml2 2.12.0 and later. [ttachi <tachihara AT hotmail.com>] *) mod_slotmem_shm: Use ap_os_is_path_absolute() to make it portable. [Jean-Frederic Clere] *) mod_ssl: Use OpenSSL-standard functions to assemble CA name lists for SSLCACertificatePath/SSLCADNRequestPath. Names will now be consistently sorted. [Joe Orton] *) mod_xml2enc: Update check to accept any text/ media type or any XML media type per RFC 7303, avoiding corruption of Microsoft OOXML formats. [Joseph Heenan <joseph.heenan fintechlabs.io>, Joe Orton] *) mod_http2: v2.0.26 with the following fixes: - Fixed `Date` header on requests upgraded from HTTP/1.1 (h2c). Fixes <icing/mod_h2#272>. - Fixed small memory leak in h2 header bucket free. Thanks to Michael Kaufmann for finding this and providing the fix. *) htcacheclean: In -a/-A mode, list all files per subdirectory rather than only one. [Artem Egorenkov <aegorenkov.91 gmail.com>] *) mod_ssl: SSLProxyMachineCertificateFile/Path may reference files which include CA certificates; those CA certs are treated as if configured with SSLProxyMachineCertificateChainFile. [Joe Orton] *) htpasswd, htdbm, dbmmanage: Update help&docs to refer to "hashing", rather than "encrypting" passwords. [Michele Preziuso <mpreziuso kaosdynamics.com>] *) mod_ssl: Fix build with LibreSSL 2.0.7+. [Giovanni Bechis, Yann Ylavic] *) htpasswd: Add support for passwords using SHA-2. [Joe Orton, Yann Ylavic] *) core: Allow mod_env to override system environment vars. [Joe Orton] *) Allow mod_dav_fs to tolerate race conditions between PROPFIND and an operation which removes a directory/file between apr_dir_read() and apr_stat(). Current behaviour is to abort the connection which seems inferior to tolerating (and logging) the error. [Joe Orton] *) mod_ldap: HTML-escape data in the ldap-status handler. [Eric Covener, Chamal De Silva] *) mod_ssl: Disable the OpenSSL ENGINE API when OPENSSL_NO_ENGINE is set. Allow for "SSLCryptoDevice builtin" if the ENGINE API is not available, notably with OpenSSL >= 3. [Yann Ylavic, Joe Orton] *) mod_ssl: Improve compatibility with OpenSSL 3, fix build warnings about deprecated ENGINE_ API, honor OPENSSL_API_COMPAT setting while defaulting to compatibitily with version 1.1.1 (including ENGINEs / SSLCryptoDevice). [Yann Ylavic] *) mod_ssl: release memory to the OS when needed. [Giovanni Bechis] *) mod_proxy: Ignore (and warn about) enablereuse=on for ProxyPassMatch when some dollar substitution (backreference) happens in the hostname or port part of the URL. [Yann Ylavic] *) mod_proxy: Allow to set a TTL for how long DNS resolutions to backend systems are cached. [Yann Ylavic] *) mod_proxy: Add optional third argument for ProxyRemote, which configures Basic authentication credentials to pass to the remote proxy.

icing mentioned this issue Nov 23, 2023

H2 upgrade fix date #273

Merged

icing closed this as completed in 938b6c8 Nov 23, 2023

fzipi mentioned this issue Apr 4, 2024

chore: update release to 2.4.59 docker-library/httpd#257

Closed

stondino00 mentioned this issue Apr 6, 2024

Upgrade Apache to 2.4.59 nextcloud-snap/nextcloud-snap#2710

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Broken date in case of h2c w/ `curl --http2` #272

Broken date in case of h2c w/ `curl --http2` #272

xrat commented Nov 22, 2023

icing commented Nov 23, 2023

xrat commented Nov 23, 2023

Broken date in case of h2c w/ curl --http2 #272

Broken date in case of h2c w/ curl --http2 #272

Comments

xrat commented Nov 22, 2023

icing commented Nov 23, 2023

xrat commented Nov 23, 2023

Broken date in case of h2c w/ `curl --http2` #272

Broken date in case of h2c w/ `curl --http2` #272