| Subject: | H::S::S::C::Environment should not blindly concatenate headers |
The header() subroutine appends to $ENV{$tag} with a comma if $ENV{$tag}
exists. This violates RFC 2616, which states: "Multiple message-header
fields with the same field-name MAY be present in a message if and only
if the entire field-value for that header field is defined as a
comma-separated list [i.e., #(values)]".
Should a non-compliant client repeat headers that should not be repeated
or if a server is misconfigured to have a conflicting $ENV{HTTP_*}
variable, then H::S::S::C::E will blindly tack them on with commas.
I noticed this while testing a web app when one part of the test
framework left $ENV{HTTP_HOST} set to "localhost", resulting in C<<
$ENV{HTTP_HOST} = "localhost, localhost:50000" >>. Since HTTP_HOST is
used to construct return URIs, bad thing ensued.
As an alternative to actually checking which fields can/can't take
commas, possibly delete all pre-existing $ENV{HTTP_*} before added them
from request headers.