http: fix non-string header value concatenation

Since headers are stored in an empty literal object ({}) instead
of an object created with Object.create(null), care must be taken
with property names inherited from Object. Currently there are
only functions inherited, so we can safely check for existing
strings instead.

Fixes: #4456
PR-URL: #4460
Reviewed-By: Fedor Indutny <[email protected]>
Reviewed-By: Rich Trott <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Myles Borins <[email protected]>
Reviewed-By: Minwoo Jung <[email protected]>

Author: mscdex

lib/_http_incoming.js

@@ -159,7 +159,7 @@ IncomingMessage.prototype._addHeaderLine = function(field, value, dest) {
 
     default:
       // make comma-separated list
-      if (dest[field] !== undefined) {
+      if (typeof dest[field] === 'string') {
         dest[field] += ', ' + value;
       } else {
         dest[field] = value;

test/parallel/test-http-server-multiheaders.js

@@ -16,6 +16,7 @@ var srv = http.createServer(function(req, res) {
   assert.equal(req.headers['x-bar'], 'banjo, bango');
   assert.equal(req.headers['sec-websocket-protocol'], 'chat, share');
   assert.equal(req.headers['sec-websocket-extensions'], 'foo; 1, bar; 2, baz');
+  assert.equal(req.headers['constructor'], 'foo, bar, baz');
 
   res.writeHead(200, {'Content-Type' : 'text/plain'});
   res.end('EOF');
@@ -48,7 +49,10 @@ srv.listen(common.PORT, function() {
       ['sec-websocket-protocol', 'share'],
       ['sec-websocket-extensions', 'foo; 1'],
       ['sec-websocket-extensions', 'bar; 2'],
-      ['sec-websocket-extensions', 'baz']
+      ['sec-websocket-extensions', 'baz'],
+      ['constructor', 'foo'],
+      ['constructor', 'bar'],
+      ['constructor', 'baz'],
     ]
   });
 });