From fddbfa6929569685bcb92f54f6938df97bccd575 Mon Sep 17 00:00:00 2001
From: Eric Wong <normalperson@yhbt.net>
Date: Tue, 5 Jan 2010 17:48:13 -0800
Subject: http_response: disallow blank, multi-value headers

The HeaderHash optimizations in Rack 1.1 interact badly with
Rails 2.3.5 (and possibly other frameworks/apps) which set
multi-value "Set-Cookie" headers without relying on the proper
methods provided by Rack::Utils.

While this is an issue with Rails not using properly, there
may be similar apps that make this mistake and Rack::Lint
does not guard against it.

Rack-ML-Ref: <20100105235845.GB3377@dcvr.yhbt.net>
---
 lib/rainbows/http_response.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/rainbows/http_response.rb b/lib/rainbows/http_response.rb
index 39ebd32..55c2ad2 100644
--- a/lib/rainbows/http_response.rb
+++ b/lib/rainbows/http_response.rb
@@ -16,7 +16,8 @@ module Rainbows
           next if %r{\AX-Rainbows-}i =~ key
           next if SKIP.include?(key.downcase)
           if value =~ /\n/
-            out.concat(value.split(/\n/).map! { |v| "#{key}: #{v}\r\n" })
+            # avoiding blank, key-only cookies with /\n+/
+            out.concat(value.split(/\n+/).map! { |v| "#{key}: #{v}\r\n" })
           else
             out << "#{key}: #{value}\r\n"
           end
-- 
cgit v1.2.3-24-ge0c7