From ffb4a6e0e4f0aaeb39b829d3fba9897a5c97720a Mon Sep 17 00:00:00 2001 From: Brian White Date: Mon, 28 Dec 2015 18:41:34 -0500 Subject: [PATCH] http: fix non-string header value concatenation Since headers are stored in an empty literal object ({}) instead of an object created with Object.create(null), care must be taken with property names inherited from Object. Currently there are only functions inherited, so we can safely check for existing strings instead. Fixes: https://github.com/nodejs/node/issues/4456 PR-URL: https://github.com/nodejs/node/pull/4460 Reviewed-By: Fedor Indutny Reviewed-By: Rich Trott Reviewed-By: Colin Ihrig Reviewed-By: Myles Borins Reviewed-By: Minwoo Jung --- lib/_http_incoming.js | 2 +- test/parallel/test-http-server-multiheaders.js | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/_http_incoming.js b/lib/_http_incoming.js index 5377c84d5d..581f62f129 100644 --- a/lib/_http_incoming.js +++ b/lib/_http_incoming.js @@ -165,7 +165,7 @@ IncomingMessage.prototype._addHeaderLine = function(field, value, dest) { default: // make comma-separated list - if (dest[field] !== undefined) { + if (typeof dest[field] === 'string') { dest[field] += ', ' + value; } else { dest[field] = value; diff --git a/test/parallel/test-http-server-multiheaders.js b/test/parallel/test-http-server-multiheaders.js index 7033ef8e70..99d7298847 100644 --- a/test/parallel/test-http-server-multiheaders.js +++ b/test/parallel/test-http-server-multiheaders.js @@ -16,6 +16,7 @@ var srv = http.createServer(function(req, res) { assert.equal(req.headers['x-bar'], 'banjo, bango'); assert.equal(req.headers['sec-websocket-protocol'], 'chat, share'); assert.equal(req.headers['sec-websocket-extensions'], 'foo; 1, bar; 2, baz'); + assert.equal(req.headers['constructor'], 'foo, bar, baz'); res.writeHead(200, {'Content-Type' : 'text/plain'}); res.end('EOF'); @@ -48,7 +49,10 @@ srv.listen(common.PORT, function() { ['sec-websocket-protocol', 'share'], ['sec-websocket-extensions', 'foo; 1'], ['sec-websocket-extensions', 'bar; 2'], - ['sec-websocket-extensions', 'baz'] + ['sec-websocket-extensions', 'baz'], + ['constructor', 'foo'], + ['constructor', 'bar'], + ['constructor', 'baz'], ] }); });