Steinar H. Gunderson
2017-05-24 22:10:02 UTC
Package: lua-http
Version: 0.1-1
Severity: grave
Tags: upstream
Hi,
lua-http cannot construct legal requests if a non-US locale (or more precisely,
anything using comma as decimal separator) is in use. Example:
klump:~> cat test.lua
os.setlocale('nb_NO.UTF-8')
local http_request = require "http.request"
local headers, stream = assert(http_request.new_from_uri("http://example.com"):go())
local body = assert(stream:get_body_as_string())
if headers:get ":status" ~= "200" then
error(body)
end
print(body)
klump:~> lua5.2 test.lua
lua5.2: test.lua:6: <?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>505 - HTTP Version Not Supported</title>
</head>
<body>
<h1>505 - HTTP Version Not Supported</h1>
</body>
</html>
stack traceback:
[C]: in function 'error'
test.lua:6: in main chunk
[C]: in ?
This is because the request it constructs looks like this:
GET / HTTP/1,1
host: example.com
user-agent: lua-http/0.1
Note the “1,1” in the HTTP version number where it should have been 1.1.
This makes the library completely broken for a large swath of Debian's user base;
thus the severity.
-- System Information:
Debian Release: 9.0
APT prefers testing-proposed-updates
APT policy: (500, 'testing-proposed-updates'), (500, 'testing')
Architecture: amd64
(x86_64)
Foreign Architectures: i386
Kernel: Linux 4.11.2 (SMP w/40 CPU cores)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh lin
Version: 0.1-1
Severity: grave
Tags: upstream
Hi,
lua-http cannot construct legal requests if a non-US locale (or more precisely,
anything using comma as decimal separator) is in use. Example:
klump:~> cat test.lua
os.setlocale('nb_NO.UTF-8')
local http_request = require "http.request"
local headers, stream = assert(http_request.new_from_uri("http://example.com"):go())
local body = assert(stream:get_body_as_string())
if headers:get ":status" ~= "200" then
error(body)
end
print(body)
klump:~> lua5.2 test.lua
lua5.2: test.lua:6: <?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>505 - HTTP Version Not Supported</title>
</head>
<body>
<h1>505 - HTTP Version Not Supported</h1>
</body>
</html>
stack traceback:
[C]: in function 'error'
test.lua:6: in main chunk
[C]: in ?
This is because the request it constructs looks like this:
GET / HTTP/1,1
host: example.com
user-agent: lua-http/0.1
Note the “1,1” in the HTTP version number where it should have been 1.1.
This makes the library completely broken for a large swath of Debian's user base;
thus the severity.
-- System Information:
Debian Release: 9.0
APT prefers testing-proposed-updates
APT policy: (500, 'testing-proposed-updates'), (500, 'testing')
Architecture: amd64
(x86_64)
Foreign Architectures: i386
Kernel: Linux 4.11.2 (SMP w/40 CPU cores)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh lin