Skip Menu |

This queue is for tickets about the HTTP-Server-Simple CPAN distribution.

Report information
The Basics
Id: 82124
Status: new
Priority: 0/
Queue: HTTP-Server-Simple

Owner: Nobody in particular
Requestors: dagolden [...]

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

Subject: H::S::S::C::Environment should not blindly concatenate headers
Download (untitled) / with headers
text/plain 946b
The header() subroutine appends to $ENV{$tag} with a comma if $ENV{$tag} exists. This violates RFC 2616, which states: "Multiple message-header fields with the same field-name MAY be present in a message if and only if the entire field-value for that header field is defined as a comma-separated list [i.e., #(values)]". Should a non-compliant client repeat headers that should not be repeated or if a server is misconfigured to have a conflicting $ENV{HTTP_*} variable, then H::S::S::C::E will blindly tack them on with commas. I noticed this while testing a web app when one part of the test framework left $ENV{HTTP_HOST} set to "localhost", resulting in C<< $ENV{HTTP_HOST} = "localhost, localhost:50000" >>. Since HTTP_HOST is used to construct return URIs, bad thing ensued. As an alternative to actually checking which fields can/can't take commas, possibly delete all pre-existing $ENV{HTTP_*} before added them from request headers.

This service is sponsored and maintained by Best Practical Solutions and runs on infrastructure.

Please report any issues with to