unicorn Ruby/Rack server user+dev discussion/patches/pulls/bugs/help
 help / color / mirror / code / Atom feed
   commit 52400de1c9e9437b5c9df899f273485f663bb5b5 (patch)
   parent 8da4448 local.mk.sample: use rack-1.1.0
     tree 38d9e34e2693a6e4694fd0189f5f3f01356cacde
   author Eric Wong <normalperson@yhbt.net>  2010-01-05 17:36:17 -0800
committer Eric Wong <normalperson@yhbt.net>  2010-01-05 17:37:50 -0800

http_response: disallow blank, multi-value headers

The HeaderHash optimizations in Rack 1.1 interact badly with
Rails 2.3.5 (and possibly other frameworks/apps) which set
multi-value "Set-Cookie" headers without relying on the proper
methods provided by Rack::Utils.

While this is an issue with Rails not using properly, there
may be similar apps that make this mistake and Rack::Lint
does not guard against it.

Rack-ML-Ref: <20100105235845.GB3377@dcvr.yhbt.net>
 lib/unicorn/http_response.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/unicorn/http_response.rb b/lib/unicorn/http_response.rb
index 92d4d6d..96e484b 100644
--- a/lib/unicorn/http_response.rb
+++ b/lib/unicorn/http_response.rb
@@ -47,7 +47,8 @@ def self.write(socket, rack_response, have_header = true)
         headers.each do |key, value|
           next if SKIP.include?(key.downcase)
           if value =~ /\n/
-            out.concat(value.split(/\n/).map! { |v| "#{key}: #{v}\r\n" })
+            # avoiding blank, key-only cookies with /\n+/
+            out.concat(value.split(/\n+/).map! { |v| "#{key}: #{v}\r\n" })
             out << "#{key}: #{value}\r\n"

Commit objects reference one tree, and zero or more parents.

Single parent commits can typically generate a patch in
unified diff format via `git format-patch'.

Multiple parents means the commit is a merge.

Root commits have no ancestor.  Note that it is
possible to have multiple root commits when merging independent histories.

Every commit references one top-level tree object.

Code repositories for project(s) associated with this public inbox


This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).