| Subject: | H::S::S::C::Environment should not blindly concatenate headers |
| MIME-Version: | 1.0 |
| Content-Type: | text/plain; charset="UTF-8" |
| X-Mailer: | MIME-tools 5.427 (Entity 5.427) |
| Content-Disposition: | inline |
| Content-Transfer-Encoding: | binary |
| X-RT-Original-Encoding: | utf-8 |
| X-RT-Encrypt: | 0 |
| X-RT-Sign: | 0 |
| Content-Length: | 946 |
The header() subroutine appends to $ENV{$tag} with a comma if $ENV{$tag}
exists. This violates RFC 2616, which states: "Multiple message-header
fields with the same field-name MAY be present in a message if and only
if the entire field-value for that header field is defined as a
comma-separated list [i.e., #(values)]".
Should a non-compliant client repeat headers that should not be repeated
or if a server is misconfigured to have a conflicting $ENV{HTTP_*}
variable, then H::S::S::C::E will blindly tack them on with commas.
I noticed this while testing a web app when one part of the test
framework left $ENV{HTTP_HOST} set to "localhost", resulting in C<<
$ENV{HTTP_HOST} = "localhost, localhost:50000" >>. Since HTTP_HOST is
used to construct return URIs, bad thing ensued.
As an alternative to actually checking which fields can/can't take
commas, possibly delete all pre-existing $ENV{HTTP_*} before added them
from request headers.