Skip Menu |
 

This queue is for tickets about the HTTP-Server-Simple CPAN distribution.

Report information
The Basics
Id: 82124
Status: new
Priority: 0/
Queue: HTTP-Server-Simple

People
Owner: Nobody in particular
Requestors: dagolden [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: H::S::S::C::Environment should not blindly concatenate headers
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
X-Mailer: MIME-tools 5.427 (Entity 5.427)
Content-Disposition: inline
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
X-RT-Encrypt: 0
X-RT-Sign: 0
Content-Length: 946
Download (untitled) / with headers
text/plain 946b
The header() subroutine appends to $ENV{$tag} with a comma if $ENV{$tag} exists. This violates RFC 2616, which states: "Multiple message-header fields with the same field-name MAY be present in a message if and only if the entire field-value for that header field is defined as a comma-separated list [i.e., #(values)]". Should a non-compliant client repeat headers that should not be repeated or if a server is misconfigured to have a conflicting $ENV{HTTP_*} variable, then H::S::S::C::E will blindly tack them on with commas. I noticed this while testing a web app when one part of the test framework left $ENV{HTTP_HOST} set to "localhost", resulting in C<< $ENV{HTTP_HOST} = "localhost, localhost:50000" >>. Since HTTP_HOST is used to construct return URIs, bad thing ensued. As an alternative to actually checking which fields can/can't take commas, possibly delete all pre-existing $ENV{HTTP_*} before added them from request headers.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.