http: do not allow multiple instances of certain response headers

jasnell · jasnell · commit e655a437b3fd · 2015-10-06T14:53:21.000-07:00
Response headers such as ETag and Last-Modified do not permit multiple instances, and therefore the comma-separated syntax is not allowed. When multiple values for these headers are specified, use only the first instance. Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> PR-URL: #3090
diff --git a/lib/_http_incoming.js b/lib/_http_incoming.js
@@ -152,6 +152,12 @@ IncomingMessage.prototype._addHeaderLine = function(field, value, dest) {
     case 'from':
     case 'location':
     case 'max-forwards':
+    case 'retry-after':
+    case 'etag':
+    case 'last-modified':
+    case 'server':
+    case 'age':
+    case 'expires':
       // drop duplicates
       if (dest[field] === undefined)
         dest[field] = value;
diff --git a/test/parallel/test-http-response-multiheaders.js b/test/parallel/test-http-response-multiheaders.js
@@ -0,0 +1,54 @@
+'use strict';
+
+const common = require('../common');
+const http = require('http');
+const assert = require('assert');
+
+// Test that certain response header fields do not repeat
+const norepeat = [
+  'retry-after',
+  'etag',
+  'last-modified',
+  'server',
+  'age',
+  'expires'
+];
+
+const server = http.createServer(function(req, res) {
+  var num = req.headers['x-num'];
+  if (num == 1) {
+    for (let name of norepeat) {
+      res.setHeader(name, ['A', 'B']);
+    }
+    res.setHeader('X-A', ['A', 'B']);
+  } else if (num == 2) {
+    let headers = {};
+    for (let name of norepeat) {
+      headers[name] = ['A', 'B'];
+    }
+    headers['X-A'] = ['A', 'B'];
+    res.writeHead(200, headers);
+  }
+  res.end('ok');
+});
+
+server.listen(common.PORT, common.mustCall(function() {
+  for (let n = 1; n <= 2 ; n++) {
+    // this runs twice, the first time, the server will use
+    // setHeader, the second time it uses writeHead. The
+    // result on the client side should be the same in
+    // either case -- only the first instance of the header
+    // value should be reported for the header fields listed
+    // in the norepeat array.
+    http.get(
+      {port:common.PORT, headers:{'x-num': n}},
+      common.mustCall(function(res) {
+        if (n == 2) server.close();
+        for (let name of norepeat) {
+          assert.equal(res.headers[name], 'A');
+        }
+        assert.equal(res.headers['x-a'], 'A, B');
+      })
+    );
+  }
+}));
