PanoptoTimeoutSoapClient::__doRequest strips splits response headers and body unreliably

Question

PanoptoTimeoutSoapClient::__doRequest strips splits response headers and body unreliably

Closed this issue 8 months ago · 4 comments

Bug description

The code that splits the header and body from a response uses $curl->info["header_size"] which corresponds to the value of: https://curl.se/libcurl/c/CURLINFO_HEADER_SIZE.html

Note that the description of CURLINFO_HEADER_SIZE specifies:

The total includes the size of any received headers suppressed by CURLOPT_SUPPRESS_CONNECT_HEADERS.

Since Moodle 4.0.7 (specifically, MDL-76370), when using a proxy, CURLOPT_SUPPRESS_CONNECT_HEADERS is set: https://github.com/moodle/moodle/blob/v4.0.7/lib/filelib.php#L3188

So if you are using a proxy which adds an additional connect header, then the value of $curl->info["header_size"] the length of that connect string is included, even though it's suppressed. Meaning that if you use it to try split the response headers from the body, you will have the wrong position.

Replication steps

On Moodle 4.0.7+:

Place the following test script (adapted from PanoptoTimeoutSoapClient) in your Moodle root and name it panoptotest.php:

<?php

require_once('config.php');
require_once('lib/filelib.php');

$curl = new curl();
$options = [
    'CURLOPT_VERBOSE' => false,
    'CURLOPT_RETURNTRANSFER' => true,
    'CURLOPT_HEADER' => true,
];

$response = $curl->post("https://postman-echo.com/post", ['foo' => 'bar'], $options);
$actualresponse = (isset($curl->info["header_size"])) ? substr($response, $curl->info["header_size"]) : "";
echo $actualresponse;

Browse to [YOUR_MOODLE]/panoptotest.php
Note that the response appears complete
Set up a proxy:
docker run -d --name squid-container -e TZ=UTC -p 1729:3128 ubuntu/squid:5.2-22.04_beta
Configure Moodle to use the proxy:
1. Browse to "Site administration" > "Server" > "HTTP"
2. Set "Proxy host" to "localhost"
3. Set "Proxy port" to 1729
Browse to [YOUR_MOODLE]/panoptotest.php (ideally do it in a new tab so you can compare to the response from step 2.)
Note that the response is not complete (the beginning is cut off).

Answer 1 · 2023-06-23T16:03:54.000Z

Hi,

Thank you for bringing this issue to our attention. I have filed an internal work item to investigate this further.

Thanks,
Joe

Answer 2 · 2023-06-24T02:24:02.000Z

I have also filed https://tracker.moodle.org/browse/MDL-78510 with Moodle HQ as this is "kind of sort of" a regression. Even though $curl->info["header_size"] is behaving correctly.

Answer 3 · 2024-01-25T09:55:06.000Z

This is fixed by adding CURLOPT_SUPPRESS_CONNECT_HEADERS if defined. Closing this for now.

Answer 4 · 2024-01-25T12:07:15.000Z

@zeroAps I'm not sure what you mean. This is a bug in the panopto plugin that happens when CURLOPT_SUPPRESS_CONNECT_HEADERS is defined. The problem is the way the plugin tries to split the response headers from the response body.

The plugin is using $curl->info["header_size"] to split the response headers from the response body when it shouldn't. Has there been a code change in the plugin to rectify this?