http: do not allow multiple instances of certain response headers

Response headers such as ETag and Last-Modified do not permit multiple instances, and therefore the comma-separated syntax is not allowed. When multiple values for these headers are specified, use only the first instance. Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> PR-URL: #3090
nodejs · Oct 6, 2015 · e655a43 · e655a43
1 parent 0094a8d
commit e655a43
Show file tree

Hide file tree

Showing 2 changed files with 60 additions and 0 deletions.
diff --git a/lib/_http_incoming.js b/lib/_http_incoming.js
@@ -152,6 +152,12 @@ IncomingMessage.prototype._addHeaderLine = function(field, value, dest) {
  case 'from':
  case 'location':
  case 'max-forwards':
+ case 'retry-after':
+ case 'etag':
+ case 'last-modified':
+ case 'server':
+ case 'age':
+ case 'expires':
  // drop duplicates
  if (dest[field] === undefined)
  dest[field] = value;

diff --git a/test/parallel/test-http-response-multiheaders.js b/test/parallel/test-http-response-multiheaders.js
@@ -0,0 +1,54 @@
+'use strict';
+
+const common = require('../common');
+const http = require('http');
+const assert = require('assert');
+
+// Test that certain response header fields do not repeat
+const norepeat = [
+ 'retry-after',
+ 'etag',
+ 'last-modified',
+ 'server',
+ 'age',
+ 'expires'
+];
+
+const server = http.createServer(function(req, res) {
+ var num = req.headers['x-num'];
+ if (num == 1) {
+ for (let name of norepeat) {
+ res.setHeader(name, ['A', 'B']);
+ }
+ res.setHeader('X-A', ['A', 'B']);
+ } else if (num == 2) {
+ let headers = {};
+ for (let name of norepeat) {
+ headers[name] = ['A', 'B'];
+ }
+ headers['X-A'] = ['A', 'B'];
+ res.writeHead(200, headers);
+ }
+ res.end('ok');
+});
+
+server.listen(common.PORT, common.mustCall(function() {
+ for (let n = 1; n <= 2 ; n++) {
+ // this runs twice, the first time, the server will use
+ // setHeader, the second time it uses writeHead. The
+ // result on the client side should be the same in
+ // either case -- only the first instance of the header
+ // value should be reported for the header fields listed
+ // in the norepeat array.
+ http.get(
+ {port:common.PORT, headers:{'x-num': n}},
+ common.mustCall(function(res) {
+ if (n == 2) server.close();
+ for (let name of norepeat) {
+ assert.equal(res.headers[name], 'A');
+ }
+ assert.equal(res.headers['x-a'], 'A, B');
+ })
+ );
+ }
+}));