search

erlyaws / yaws

Yaws webserver
https://erlyaws.github.io
BSD 3-Clause "New" or "Revised" License
1.28k stars 267 forks source link

Error in creation of output HTTP headers #386

Closed etnt closed 5 years ago

etnt commented 5 years ago

https://github.com/klacke/yaws/blob/0828ddaf02ef1062d327d84726645fca9b2147ab/src/yaws.erl#L2016

This line is problematic since if the 'Hdr' contains an empty list then we will put in a Key/Value pair as []/[] into the 'Hdrs' map, which then will cause the accumulate_header/1 function to produce a bogus header such as: ' : '.

   accumulate_header({Name, What}) when is_list(Name) ->                                                                                                                                                               
       H = get(outh),                                                                                                                                                                                                  
       Old = case H#outh.other of                                                                                                                                                                                      
                 undefined -> [];                                                                                                                                                                                      
                 V         -> V                                                                                                                                                                                        
             end,                                                                                                                                                                                                      
       H2 = H#outh{other = [Old, Name, ": ", What, "\r\n"]},                                                                                                                                                           
       put(outh, H2);

I detected this because in our case the #outh.server element is '[]' which will cause the funny 'Hdrs' map entry to be created.

The fix should be to add a new clause before matching against an empty list 'Hdr' and then return the Acc.

vinoski commented 5 years ago

I'll submit the suggested fix, but I wish I had a regression test for this. I tried to extend the current extra_response_headers test to cover this case but nothing I did caused any failure. How is your code causing an empty server header?

etnt commented 5 years ago

the #sconf.yaws and #gconf.yaws are empty. See the yaws:make_server_header/0 function.

etnt commented 5 years ago

I have now verified that the fix really works :-)