[Possible patch] httpd and HEAD requests to CGI scripts

[Ross L Richardson]

This relates to the earlier messages I sent to bugs@ in:
        https://marc.info/?t=163309376900001&r=1&w=2

RFC 7231 [HTTP/1.1] section 4.3.2. "HEAD" states:
        The HEAD method is identical to GET except that the server MUST NOT
        send a message body in the response (i.e., the response terminates at
        the end of the header section).

RFC 3875 [The Common Gateway Interface (CGI) Version 1.1] in
section 4.3.2 HEAD states:
        The HEAD method requests the script to do sufficient processing to
        return the response header fields, without providing a response
        message-body.  The script MUST NOT provide a response message-body
        for a HEAD request.  If it does, then the server MUST discard the
        message-body when reading the response from the script.

Therefore, a CGI script which sends a message body is violation of the CGI
specification, but so is the server if it fails to elide the body.


With httpd, we see (for example):
----
$ printf "HEAD /cgi-bin/ftplist.cgi?dbversion=1 
HTTP/1.0\r\nHost:ftp.openbsd.org\r\n\r\n" \
    | nc -c ftp.openbsd.org https
HTTP/1.0 200 OK
Connection: close
Content-type: text/plain
Date: Fri, 01 Oct 2021 12:50:59 GMT
Server: OpenBSD httpd

https://mirror.aarnet.edu.au/pub/OpenBSD                  Canberra, Australia
https://cdn.openbsd.org/pub/OpenBSD                              Fastly (CDN)
https://cloudflare.cdn.openbsd.org/pub/OpenBSD               Cloudflare (CDN)
...
RND_BYTES=0xfe9832a3...
----

So httpd isn't behaving correctly.

The patch below is offered in the hope that it is a starting point for
a proper solution.  Whilst it solves the problem in a simple test case,
I'm insufficiently familiar with the httpd code to know whether this is
correct or sufficient!

Ross
----
Index: server_fcgi.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/server_fcgi.c,v
retrieving revision 1.88
diff -u -p -r1.88 server_fcgi.c
--- server_fcgi.c       20 May 2021 15:12:10 -0000      1.88
+++ server_fcgi.c       9 Oct 2021 10:18:55 -0000
@@ -559,6 +559,11 @@ server_fcgi_read(struct bufferevent *bev
                                                return;
                                        }
                                }
+                               if (clt->clt_fcgi.headerssent &&
+                                   ((struct http_descriptor *)
+                                   clt->clt_descreq)->http_method
+                                   == HTTP_METHOD_HEAD)
+                                       return;
                                if (server_fcgi_writechunk(clt) == -1) {
                                        server_abort_http(clt, 500,
                                            "encoding error");