Apparently, broken handling of same-named HTTP headers in outcalls

qwertytrewq · June 4, 2024, 3:10pm

It seems that when there are multiple same-named HTTP headers in a request:

    public shared func test(): async Text {
        let headers = Http.headersNew();
        headers.put("Host", ["local.vporton.name:8081"]); // overrides the default
        // Add arbitrary headers for testing:
        headers.put("Content-Type", ["text/plain"]);
        headers.put("X-My", ["my", "my2"]);
        let res = await Call.callHttp(
            {
                url = "https://local.vporton.name:8443";
                headers = headers.share();
                body = "";
                method = #get;
            },
            null,
            {
                max_response_bytes = ?10_000;
                cycles = 900_000_000_000; // TODO: much too much
                timeout = 60_000_000_000; // 60 sec
            },
        );
        let ?body = Text.decodeUtf8(Blob.fromArray(res.body)) else {
            Debug.trap("No response body.")
        };
        body;
    }

(a code from currently debugged GitHub - vporton/joining-proxy-rust: This will contain a proxy that intentionally delivers outdated data), then HTTP outcall preserves only one header. That’s wrong. Multiple same-named headers is legit in HTTP and they should be preserved.

However, this may be a fake alarm, I didn’t thoroughly test it yet.

qwertytrewq · June 6, 2024, 9:22am

@kpeacock The bug was confirmed by a minimal example.

The outgoing in an outcall HTTP headers are erroneously crumbled (headers with duplicate names are removed, what should not).

The incoming HTTP headers to IC are processed correctly.

Where to report the bug in Replica?

christian · June 6, 2024, 9:27am

Hey, according to the HTTP spec, you can simply concatenate all values using a comma. E.g.:

Accept: text/html
Accept: application/xml

is equivalent to

Accept: text/html, application/xml

I hope this helps.

qwertytrewq · June 6, 2024, 9:41am

@christian Current Replica removes a part of fields altogether rather than concatenating them. So, it’s a bug.

Second, Field Lines and Combined Field Value does not warrant that a client or a server will consider the meaning of a repeated field equal to its combined value.

Particularly, AFAIK, it is an error to combine several Set-Cookie into one separated by comma.

christian · June 6, 2024, 9:54am

Right, this would not work for Set-Cookie as it uses a specific format to separate different attributes of a single cookie.

Thanks a lot, we filed a bug and will look into it.

qwertytrewq · June 6, 2024, 11:03am

But note that “default” headers (Host, Content-Type, and (in some reason added by IC) Accept; maybe I forgot some) that are added by default, should be overwritten by user query rather than added to them.

tim1 · June 7, 2024, 9:44am

Thanks for the bug report. Indeed you are right that we remove some headers that have the same header name.

The fix has been merged and should be deployed on mainnet in ~1.5 weeks.

Again thanks for reporting and providing a reproducible example!

Topic		Replies	Views
HTTP POST outcalls consensus not working , only one is working Rust	12	564	August 4, 2023
FIX ME! in http outcalls call raw Developers	2	416	April 16, 2023
How to update this simple example for new HTTP_TRANSFORM Developers	7	500	November 10, 2022
HTTP outcall cycles parameter Developers	7	235	March 11, 2024
Can multiple http outcalls be successfully initiated in one update call/one timerId task? Developers	1	324	December 16, 2022

Apparently, broken handling of same-named HTTP headers in outcalls

Related Topics