Re: bin/58581: ftp(1) should allow specifying header fields in http requests

[gnats-admin%netbsd.org@localhost]

The following reply was made to PR bin/58581; it has been noted by GNATS.

From: Sunil Nimmagadda <sunil%nimmagadda.net@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: 
Subject: Re: bin/58581: ftp(1) should allow specifying header fields in http
 requests
Date: Sun, 11 Aug 2024 21:15:22 +0530

 campbell+netbsd%mumble.net@localhost writes:
 
 >>Number:         58581
 >>Category:       bin
 >>Synopsis:       ftp(1) should allow specifying header fields in http requests
 >>Confidential:   no
 >>Severity:       serious
 >>Priority:       medium
 >>Responsible:    bin-bug-people
 >>State:          open
 >>Class:          change-request
 >>Submitter-Id:   net
 >>Arrival-Date:   Sun Aug 11 14:05:00 +0000 2024
 >>Originator:     Taylor R Campbell
 >>Release:        current, 10, 9, ...
 >>Organization:
 > The X-NetBSD: Fetchation
 >>Environment:
 >>Description:
 > It would be nice if you could add a custom header field to an http request.
 >
 > For example, the Instance Metadata Service version 2 in Oracle Compute
 > Infrastructure requires adding a header field `Authorization: Bearer
 > Oracle' in order to prevent SSRF attacks which might expose secret
 > keys.
 >
 > Similarly, the IMDSv2 in Amazon EC2 requires an X-aws-ec2-metadata-token header field, populated with a token retrieved by another request made with an X-aws-ec2-metadata-token-ttl-seconds field.
 >
 > Although you can do this with fancier http clients like curl(1), we
 > might want to use these in rc scripts at first boot like
 > /etc/rc.d/ec2_init, and it would be good if that worked only with
 > what's available in the base system.
 >>How-To-Repeat:
 > try to use a service that requires a custom header field
 >>Fix:
 > Add a `-H <headerfield>' option to ftp(1) like curl(1) has.
 
 Initial attempt at adding a custom HTTP request header...
 $ ftp -H 'Authorization: Bearer Oracle' https://example.com/foo
 
 diff --git a/usr.bin/ftp/fetch.c b/usr.bin/ftp/fetch.c
 --- a/usr.bin/ftp/fetch.c
 +++ b/usr.bin/ftp/fetch.c
 @@ -882,6 +882,9 @@
  	print_host(fin, ui);
  	fetch_printf(fin, "Accept: */*\r\n");
  	fetch_printf(fin, "Connection: close\r\n");
 +	if (http_header) {
 +		fetch_printf(fin, "%s\r\n", http_header);
 +	}
  	if (restart_point) {
  		fputs(leading, ttyout);
  		fetch_printf(fin, "Range: bytes=" LLF "-\r\n",
 diff --git a/usr.bin/ftp/ftp_var.h b/usr.bin/ftp/ftp_var.h
 --- a/usr.bin/ftp/ftp_var.h
 +++ b/usr.bin/ftp/ftp_var.h
 @@ -255,6 +255,7 @@
  GLOBAL	int	epsv6bad;	/* EPSV doesn't work on the current server */
  GLOBAL	int	editing;	/* command line editing enabled */
  GLOBAL	int	features[FEAT_max];	/* remote FEATures supported */
 +GLOBAL const char *http_header;	/* Custom HTTP Request header */
  
  #ifndef NO_EDITCOMPLETE
  GLOBAL	EditLine *el;		/* editline(3) status structure */
 diff --git a/usr.bin/ftp/main.c b/usr.bin/ftp/main.c
 --- a/usr.bin/ftp/main.c
 +++ b/usr.bin/ftp/main.c
 @@ -267,7 +267,7 @@
  		}
  	}
  
 -	while ((ch = getopt(argc, argv, ":46Aab:defginN:o:pP:q:r:Rs:tT:u:vVx:")) != -1) {
 +	while ((ch = getopt(argc, argv, ":46Aab:defgH:inN:o:pP:q:r:Rs:tT:u:vVx:")) != -1) {
  		switch (ch) {
  		case '4':
  			family = AF_INET;
 @@ -315,6 +315,10 @@
  			doglob = 0;
  			break;
  
 +		case 'H':
 +		  http_header = ftp_strdup(optarg);
 +		  break;
 +
  		case 'i':
  			interactive = 0;
  			break;