Prohibit headers to contain newlines

Mons · Jun 30, 2023 · a6fecac · a6fecac
1 parent bba5e60
commit a6fecac
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 10 deletions.
diff --git a/META.json b/META.json
@@ -40,6 +40,6 @@
       }
    },
    "release_status" : "stable",
-   "version" : "1.99996",
+   "version" : "1.99998",
    "x_serialization_backend" : "JSON::PP version 4.06"
 }
diff --git a/META.yml b/META.yml
@@ -22,5 +22,5 @@ requires:
   Digest::SHA1: '2'
   HTTP::Easy: '0.02'
   JSON::XS: '3'
-version: '1.99996'
+version: '1.99998'
 x_serialization_backend: 'CPAN::Meta::YAML version 0.018'
diff --git a/Makefile.PL b/Makefile.PL
@@ -10,6 +10,7 @@ WriteMakefile(
 		'Digest::SHA1' => 2,
 		'JSON::XS'     => 3,
 		'HTTP::Easy'   => 0.04,
+		'Class::XSAccessor' => 0,
 	},
 	ABSTRACT_FROM     => 'lib/AnyEvent/HTTP/Server.pm', # retrieve abstract from module
 	AUTHOR            => 'Mons Anderson <[email protected]>',

diff --git a/lib/AnyEvent/HTTP/Server.pm b/lib/AnyEvent/HTTP/Server.pm
@@ -8,7 +8,7 @@ AnyEvent::HTTP::Server - AnyEvent HTTP/1.1 Server
 
 our $VERSION;
 BEGIN{
-$VERSION = '1.99997';
+$VERSION = '1.99998';
 }
 
 use AnyEvent::HTTP::Server::Kit;

diff --git a/lib/AnyEvent/HTTP/Server/Req.pm b/lib/AnyEvent/HTTP/Server/Req.pm
@@ -273,10 +273,15 @@ BEGIN {
 				$h->{'content-type'} = 'application/octet-stream';
 			}
 			for (keys %$h) {
-				if (exists $hdr{lc $_}) { $good[ $hdri{lc $_} ] = $hdr{ lc $_ }.": ".$h->{$_}.$LF; }
-				else { push @bad, "\u\L$_\E: ".$h->{$_}.$LF; }
+				if (exists $hdr{lc $_}) { $good[ $hdri{lc $_} ] = $hdr{ lc $_ }.": ".$h->{$_}; }
+				else { push @bad, "\u\L$_\E: ".$h->{$_}; }
+			}
+			for (@good,@bad) {
+				if (defined()) {
+					s/[\r\n]+/ /g;
+					$reply .= $_ . $LF;
+				}
 			}
-			defined() and $reply .= $_ for @good,@bad;
 			$reply .= $LF;
 			if( $self->{writer} ) {
 				$self->{writer}->( \$reply );
@@ -360,7 +365,7 @@ BEGIN {
 			}
 
 			for (keys %$h) {
-				if (exists $hdr{lc $_}) { $good[ $hdri{lc $_} ] = $hdr{ lc $_ }.": ".$h->{$_}.$LF; }
+				if (exists $hdr{lc $_}) { $good[ $hdri{lc $_} ] = $hdr{ lc $_ }.": ".$h->{$_}; }
 				else {
 					if (lc $_ eq 'set-cookie' ) {
 						my $cookies = HTTP::Easy::Cookies->decode($h->{$_});
@@ -376,16 +381,21 @@ BEGIN {
 									push @c, "Secure"  if $o->{secure};
 									push @c, "HttpOnly"  if $o->{httponly};
 									push @c, "SameSite=" . $o->{samesite} if $o->{samesite};
-									push @bad, "\u\Lset-cookie\E: ". join('; ',@c) .$LF;
+									push @bad, "\u\Lset-cookie\E: ". join('; ',@c);
 								}
 							}
 						}
 					} else {
-						push @bad, "\u\L$_\E: ".$h->{$_}.$LF;
+						push @bad, "\u\L$_\E: ".$h->{$_};
 					}
 				}
 			}
-			defined() and $reply .= $_ for @good,@bad;
+			for (@good,@bad) {
+				if (defined()) {
+					s/[\r\n]+/ /g;
+					$reply .= $_ . $LF;
+				}
+			}
 			# 2 is size of LF
 			$self->attrs->{head_size} = length($reply) + 2;
 			$self->attrs->{body_size} = length $content;