From 2cf1b3df5d58c716ada873f0ae7803142e3da362 Mon Sep 17 00:00:00 2001 From: Eric Wong Date: Mon, 16 Nov 2015 23:55:01 +0000 Subject: http_response: allow nil values in response headers This blatantly violates Rack SPEC, but we've had this bug since March 2009[1]. Thus, we cannot expect all existing applications and middlewares to fix this bug and will probably have to support it forever. Unfortunately, supporting this bug contributes to application server lock-in, but at least we'll document it as such. [1] commit 1835c9e2e12e6674b52dd80e4598cad9c4ea1e84 ("HttpResponse: speed up non-multivalue headers") Reported-by: Owen Ou Ref: --- lib/unicorn/http_response.rb | 2 +- test/unit/test_response.rb | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/lib/unicorn/http_response.rb b/lib/unicorn/http_response.rb index c1aa738..7b446c2 100644 --- a/lib/unicorn/http_response.rb +++ b/lib/unicorn/http_response.rb @@ -37,7 +37,7 @@ module Unicorn::HttpResponse # key in Rack < 1.5 hijack = value else - if value.include?("\n".freeze) + if value =~ /\n/ # avoiding blank, key-only cookies with /\n+/ value.split(/\n+/).each { |v| buf << "#{key}: #{v}\r\n" } else diff --git a/test/unit/test_response.rb b/test/unit/test_response.rb index 0b14d59..fbe433f 100644 --- a/test/unit/test_response.rb +++ b/test/unit/test_response.rb @@ -33,6 +33,15 @@ class ResponseTest < Test::Unit::TestCase assert out.length > 0, "output didn't have data" end + # ref: + def test_response_header_broken_nil + out = StringIO.new + http_response_write(out, 200, {"Nil" => nil}, %w(hysterical raisin)) + assert ! out.closed? + + assert_match %r{^Nil: \r\n}sm, out.string, 'nil accepted' + end + def test_response_string_status out = StringIO.new http_response_write(out,'200', {}, []) -- cgit v1.2.3-24-ge0c7