Hi,
I was playing a bit with httpd(8) new "hsts" setting when some
trivial tests with Firefox would sometimes give the following error:
The site specified an invalid Strict-Transport-Security header.
Some pages would also load and reload a few times before appearing in
the browser.
curl would show something strange.
$ curl -s -D- https://www.example.com/ | grep ^Strict
Strict-Transport-Security: max-age=31536000; includeSubDomains??
^^
random junk
It looks like there were some wrong calls to kv_set() and kv_setkey(),
which were easier to find with some __printf__ attributes.
The following diff is an attempt at fixing these.
Cheers.
Index: httpd.h
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/httpd.h,v
retrieving revision 1.94
diff -u -p -u -r1.94 httpd.h
--- httpd.h 29 Jul 2015 22:03:41 -0000 1.94
+++ httpd.h 30 Jul 2015 20:17:35 -0000
@@ -635,8 +635,8 @@ u_int32_t prefixlen2mask(u_int8_t);
int accept_reserve(int, struct sockaddr *, socklen_t *, int,
volatile int *);
struct kv *kv_add(struct kvtree *, char *, char *);
-int kv_set(struct kv *, char *, ...);
-int kv_setkey(struct kv *, char *, ...);
+int kv_set(struct kv *, char *, ...) __attribute__((__format__
(printf, 2, 3)));
+int kv_setkey(struct kv *, char *, ...) __attribute__((__format__
(printf, 2, 3)));
void kv_delete(struct kvtree *, struct kv *);
struct kv *kv_extend(struct kvtree *, struct kv *, char *);
void kv_purge(struct kvtree *);
Index: server_fcgi.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/server_fcgi.c,v
retrieving revision 1.61
diff -u -p -u -r1.61 server_fcgi.c
--- server_fcgi.c 29 Jul 2015 22:03:41 -0000 1.61
+++ server_fcgi.c 30 Jul 2015 20:17:35 -0000
@@ -603,7 +603,7 @@ server_fcgi_header(struct client *clt, u
return (-1);
/* Add error codes */
- if (kv_setkey(&resp->http_pathquery, "%lu", code) == -1 ||
+ if (kv_setkey(&resp->http_pathquery, "%u", code) == -1 ||
kv_set(&resp->http_pathquery, "%s", error) == -1)
return (-1);
@@ -640,7 +640,7 @@ server_fcgi_header(struct client *clt, u
if ((cl =
kv_add(&resp->http_headers, "Strict-Transport-Security",
NULL)) == NULL ||
- kv_set(cl, "max-age=%d%s%s%s", srv_conf->hsts_max_age,
+ kv_set(cl, "max-age=%d%s%s", srv_conf->hsts_max_age,
srv_conf->hsts_flags & HSTSFLAG_SUBDOMAINS ?
"; includeSubDomains" : "",
srv_conf->hsts_flags & HSTSFLAG_PRELOAD ?
Index: server_http.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/server_http.c,v
retrieving revision 1.95
diff -u -p -u -r1.95 server_http.c
--- server_http.c 29 Jul 2015 22:03:41 -0000 1.95
+++ server_http.c 30 Jul 2015 20:17:36 -0000
@@ -1244,7 +1244,7 @@ server_response_http(struct client *clt,
return (-1);
/* Add error codes */
- if (kv_setkey(&resp->http_pathquery, "%lu", code) == -1 ||
+ if (kv_setkey(&resp->http_pathquery, "%u", code) == -1 ||
kv_set(&resp->http_pathquery, "%s", error) == -1)
return (-1);
@@ -1281,7 +1281,7 @@ server_response_http(struct client *clt,
if ((cl =
kv_add(&resp->http_headers, "Strict-Transport-Security",
NULL)) == NULL ||
- kv_set(cl, "max-age=%d%s%s%s", srv_conf->hsts_max_age,
+ kv_set(cl, "max-age=%d%s%s", srv_conf->hsts_max_age,
srv_conf->hsts_flags & HSTSFLAG_SUBDOMAINS ?
"; includeSubDomains" : "",
srv_conf->hsts_flags & HSTSFLAG_PRELOAD ?
