From 39ef82402f22e6ae04695015b1ea2a5d67e5b8d7 Mon Sep 17 00:00:00 2001 From: Brian White Date: Mon, 28 Dec 2015 18:41:34 -0500 Subject: [PATCH] http: fix non-string header value concatenation Since headers are stored in an empty literal object ({}) instead of an object created with Object.create(null), care must be taken with property names inherited from Object. Currently there are only functions inherited, so we can safely check for existing strings instead. Fixes: https://github.com/nodejs/node/issues/4456 PR-URL: https://github.com/nodejs/node/pull/4460 Reviewed-By: Fedor Indutny Reviewed-By: Rich Trott Reviewed-By: Colin Ihrig Reviewed-By: Myles Borins Reviewed-By: Minwoo Jung --- lib/_http_incoming.js | 2 +- test/parallel/test-http-server-multiheaders.js | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/_http_incoming.js b/lib/_http_incoming.js index e16f198dba71bd..4f001041f8af89 100644 --- a/lib/_http_incoming.js +++ b/lib/_http_incoming.js @@ -159,7 +159,7 @@ IncomingMessage.prototype._addHeaderLine = function(field, value, dest) { default: // make comma-separated list - if (dest[field] !== undefined) { + if (typeof dest[field] === 'string') { dest[field] += ', ' + value; } else { dest[field] = value; diff --git a/test/parallel/test-http-server-multiheaders.js b/test/parallel/test-http-server-multiheaders.js index 7033ef8e7079f2..99d72988479928 100644 --- a/test/parallel/test-http-server-multiheaders.js +++ b/test/parallel/test-http-server-multiheaders.js @@ -16,6 +16,7 @@ var srv = http.createServer(function(req, res) { assert.equal(req.headers['x-bar'], 'banjo, bango'); assert.equal(req.headers['sec-websocket-protocol'], 'chat, share'); assert.equal(req.headers['sec-websocket-extensions'], 'foo; 1, bar; 2, baz'); + assert.equal(req.headers['constructor'], 'foo, bar, baz'); res.writeHead(200, {'Content-Type' : 'text/plain'}); res.end('EOF'); @@ -48,7 +49,10 @@ srv.listen(common.PORT, function() { ['sec-websocket-protocol', 'share'], ['sec-websocket-extensions', 'foo; 1'], ['sec-websocket-extensions', 'bar; 2'], - ['sec-websocket-extensions', 'baz'] + ['sec-websocket-extensions', 'baz'], + ['constructor', 'foo'], + ['constructor', 'bar'], + ['constructor', 'baz'], ] }); });