unicorn Ruby/Rack server user+dev discussion/patches/pulls/bugs/help
 help / color / mirror / code / Atom feed
commit 52400de1c9e9437b5c9df899f273485f663bb5b5
Author: Eric Wong <normalperson@yhbt.net>
Date:   Tue Jan 5 17:36:17 2010 -0800

    http_response: disallow blank, multi-value headers
    
    The HeaderHash optimizations in Rack 1.1 interact badly with
    Rails 2.3.5 (and possibly other frameworks/apps) which set
    multi-value "Set-Cookie" headers without relying on the proper
    methods provided by Rack::Utils.
    
    While this is an issue with Rails not using properly, there
    may be similar apps that make this mistake and Rack::Lint
    does not guard against it.
    
    Rack-ML-Ref: <20100105235845.GB3377@dcvr.yhbt.net>

diff --git a/lib/unicorn/http_response.rb b/lib/unicorn/http_response.rb
index 92d4d6d..96e484b 100644
--- a/lib/unicorn/http_response.rb
+++ b/lib/unicorn/http_response.rb
@@ -47,7 +47,8 @@ module Unicorn
         headers.each do |key, value|
           next if SKIP.include?(key.downcase)
           if value =~ /\n/
-            out.concat(value.split(/\n/).map! { |v| "#{key}: #{v}\r\n" })
+            # avoiding blank, key-only cookies with /\n+/
+            out.concat(value.split(/\n+/).map! { |v| "#{key}: #{v}\r\n" })
           else
             out << "#{key}: #{value}\r\n"
           end

debug log:

solving 52400de1c9e9437b5c9df899f273485f663bb5b5 ...
found 52400de1c9e9437b5c9df899f273485f663bb5b5 in https://yhbt.net/unicorn.git

Code repositories for project(s) associated with this inbox:

	../../../unicorn.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).