Skip Menu |
 

This queue is for tickets about the HTTP-Message CPAN distribution.

Report information
The Basics
Id: 119570
Status: resolved
Priority: 0/
Queue: HTTP-Message

People
Owner: Nobody in particular
Requestors: cpan [...] bambra.net
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: [PATCH] HTTP::Message->parse works with strings without empty line between headers and body
Download (untitled) / with headers
text/plain 574b
Hello, I was very surprised by the fact, that there is no difference for HTTP::Message->parse between strings "Header: value\nbody" and "Header: value\n\nbody". The first one seems to be invalid, but it is parsed the same way as the second. This can lead to the problems when we parse buggy application output, because module don't see these bug, but real webserver see it. I suggest the patch for the library and it's test file. As you understand, it can broke applications that rely on old behaviour, that is very very old, so it is not safe. What do you think about it?
Subject: HTTP-Message.patch
Download HTTP-Message.patch
text/x-diff 1.1k
diff --color -uNr HTTP-Message-6.11/lib/HTTP/Message.pm HTTP-Message-new/lib/HTTP/Message.pm --- HTTP-Message-6.11/lib/HTTP/Message.pm 2015-09-09 23:34:32.000000000 +0300 +++ HTTP-Message-new/lib/HTTP/Message.pm 2016-12-29 17:06:44.072875100 +0300 @@ -72,7 +72,8 @@ $hdr[-1] =~ s/\r\z//; } else { - $str =~ s/^\r?\n//; + my $newline = $str =~ s/^\r?\n//; + die "Can't parse message: missing empty line before body" if length $str && !$newline && @hdr; last; } } diff --color -uNr HTTP-Message-6.11/t/message.t HTTP-Message-new/t/message.t --- HTTP-Message-6.11/t/message.t 2016-12-29 15:56:22.547641100 +0300 +++ HTTP-Message-new/t/message.t 2016-12-29 17:05:29.622320900 +0300 @@ -3,7 +3,7 @@ use Test::More; -plan tests => 129; +plan tests => 131; require HTTP::Message; use Config qw(%Config); @@ -107,6 +107,9 @@ $m = HTTP::Message->parse("\nfoo: bar\n"); is($m->as_string, "\nfoo: bar\n"); +ok(!eval { HTTP::Message->parse("invalid: request\nmissing empty line before body") }); +like($@, qr/^Can't parse message: missing empty line before body/); + $m = HTTP::Message->new([a => 1, b => 2], "abc"); is($m->content("foo\n"), "abc"); is($m->content, "foo\n");


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.