bin/58581: ftp(1) should allow specifying header fields in http requests

[campbell+netbsd%mumble.net@localhost]

>Number:         58581
>Category:       bin
>Synopsis:       ftp(1) should allow specifying header fields in http requests
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Sun Aug 11 14:05:00 +0000 2024
>Originator:     Taylor R Campbell
>Release:        current, 10, 9, ...
>Organization:
The X-NetBSD: Fetchation
>Environment:
>Description:
It would be nice if you could add a custom header field to an http request.

For example, the Instance Metadata Service version 2 in Oracle Compute Infrastructure requires adding a header field `Authorization: Bearer Oracle' in order to prevent SSRF attacks which might expose secret keys.

Similarly, the IMDSv2 in Amazon EC2 requires an X-aws-ec2-metadata-token header field, populated with a token retrieved by another request made with an X-aws-ec2-metadata-token-ttl-seconds field.

Although you can do this with fancier http clients like curl(1), we might want to use these in rc scripts at first boot like /etc/rc.d/ec2_init, and it would be good if that worked only with what's available in the base system.
>How-To-Repeat:
try to use a service that requires a custom header field
>Fix:
Add a `-H <headerfield>' option to ftp(1) like curl(1) has.