diff options
author | Brian White <mscdex@mscdex.net> | 2017-02-09 06:49:39 -0500 |
---|---|---|
committer | Brian White <mscdex@mscdex.net> | 2017-03-09 08:10:25 -0500 |
commit | 6b2cef65c99cb40fb9ca0789670b9ea9f5fcc2dd (patch) | |
tree | b1348fbb4974dd34d77fcd0c21a321b84be5b317 /lib/_http_incoming.js | |
parent | 8243ca0e0e87b3e114d9ddf2843d1272bc56b053 (diff) | |
download | android-node-v8-6b2cef65c99cb40fb9ca0789670b9ea9f5fcc2dd.tar.gz android-node-v8-6b2cef65c99cb40fb9ca0789670b9ea9f5fcc2dd.tar.bz2 android-node-v8-6b2cef65c99cb40fb9ca0789670b9ea9f5fcc2dd.zip |
http: append Cookie header values with semicolon
Previously, separate incoming Cookie headers would be concatenated
with a comma, which can cause confusion in userland code when it
comes to parsing the final Cookie header value. This commit
concatenates using a semicolon instead.
Fixes: https://github.com/nodejs/node/issues/11256
PR-URL: https://github.com/nodejs/node/pull/11259
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Roman Reiss <me@silverwind.io>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Diffstat (limited to 'lib/_http_incoming.js')
-rw-r--r-- | lib/_http_incoming.js | 20 |
1 files changed, 11 insertions, 9 deletions
diff --git a/lib/_http_incoming.js b/lib/_http_incoming.js index 53419323f4..d838891790 100644 --- a/lib/_http_incoming.js +++ b/lib/_http_incoming.js @@ -194,6 +194,9 @@ function matchKnownFields(field) { case 'Set-Cookie': case 'set-cookie': return '\u0001'; + case 'Cookie': + case 'cookie': + return '\u0002cookie'; // The fields below are not used in _addHeaderLine(), but they are common // headers where we can avoid toLowerCase() if the mixed or lower case // versions match the first time through. @@ -215,9 +218,6 @@ function matchKnownFields(field) { case 'Content-Encoding': case 'content-encoding': return '\u0000content-encoding'; - case 'Cookie': - case 'cookie': - return '\u0000cookie'; case 'Origin': case 'origin': return '\u0000origin'; @@ -263,18 +263,20 @@ function matchKnownFields(field) { // // Per RFC2616, section 4.2 it is acceptable to join multiple instances of the // same header with a ', ' if the header in question supports specification of -// multiple values this way. If not, we declare the first instance the winner -// and drop the second. Extended header fields (those beginning with 'x-') are -// always joined. +// multiple values this way. The one exception to this is the Cookie header, +// which has multiple values joined with a '; ' instead. If a header's values +// cannot be joined in either of these ways, we declare the first instance the +// winner and drop the second. Extended header fields (those beginning with +// 'x-') are always joined. IncomingMessage.prototype._addHeaderLine = _addHeaderLine; function _addHeaderLine(field, value, dest) { field = matchKnownFields(field); var flag = field.charCodeAt(0); - if (flag === 0) { + if (flag === 0 || flag === 2) { field = field.slice(1); - // Make comma-separated list + // Make a delimited list if (typeof dest[field] === 'string') { - dest[field] += ', ' + value; + dest[field] += (flag === 0 ? ', ' : '; ') + value; } else { dest[field] = value; } |