Merge [121447] to trunk - ZPublisher: HTTPResponse.appendHeader now keeps header values to a single

line by default to avoid causing problems for proxy servers which do not correctly handle multi-line headers. (Merged from 2.13 branch.)

Merge [121447] to trunk - ZPublisher: HTTPResponse.appendHeader now keeps header values to a single
line by default to avoid causing problems for proxy servers which do not correctly handle multi-line headers. (Merged from 2.13 branch.)
a984a950 · Laurence Rowe · b2d1e288 · a984a950 · a984a950 · a984a950
Commit a984a950 authored Apr 19, 2011 by Laurence Rowe
Showing with 8 additions and 4 deletions

doc/CHANGES.rst doc/CHANGES.rst +4 -0

src/ZPublisher/HTTPResponse.py src/ZPublisher/HTTPResponse.py +2 -2

src/ZPublisher/tests/testHTTPResponse.py src/ZPublisher/tests/testHTTPResponse.py +2 -2

No files found.
--- a/doc/CHANGES.rst
+++ b/doc/CHANGES.rst
@@ -32,6 +32,10 @@ Bugs Fixed
 Features Added
 ++++++++++++++

+- ZPublisher: HTTPResponse.appendHeader now keeps header values to a single
+  line by default to avoid causing problems for proxy servers which do not
+  correctly handle multi-line headers. (Merged from 2.13 branch.)
+
 - Add preliminary IPv6 support to ZServer.

 - ZPublisher: If `IBrowserPage` is provided by a view, form input is decoded.

--- a/src/ZPublisher/HTTPResponse.py
+++ b/src/ZPublisher/HTTPResponse.py
@@ -338,7 +338,7 @@ class HTTPResponse(BaseResponse):
            name = literal and name or key
            self.headers[name] = value

-    def appendHeader(self, name, value, delimiter=","):
+    def appendHeader(self, name, value, delimiter=", "):
        """ Append a value to an HTTP return header.

        Set an HTTP return header "name" with value "value",
@@ -353,7 +353,7 @@ class HTTPResponse(BaseResponse):
        headers = self.headers
        if headers.has_key(name):
            h = headers[name]
-            h = "%s%s\r\n\t%s" % (h, delimiter, value)
+            h = "%s%s%s" % (h, delimiter, value)
        else:
            h = value
        self.setHeader(name,h, scrubbed=True)

--- a/src/ZPublisher/tests/testHTTPResponse.py
+++ b/src/ZPublisher/tests/testHTTPResponse.py
@@ -445,13 +445,13 @@ class HTTPResponseTests(unittest.TestCase):
        response = self._makeOne()
        response.setHeader('foo', 'bar')
        response.appendHeader('foo', 'foo')
-        self.assertEqual(response.headers.get('foo'), 'bar,\r\n\tfoo')
+        self.assertEqual(response.headers.get('foo'), 'bar, foo')

    def test_appendHeader_w_existing_case_insenstative(self):
        response = self._makeOne()
        response.setHeader('xxx', 'bar')
        response.appendHeader('XXX', 'foo')
-        self.assertEqual(response.headers.get('xxx'), 'bar,\r\n\tfoo')
+        self.assertEqual(response.headers.get('xxx'), 'bar, foo')

    def test_appendHeader_drops_CRLF(self):
        # RFC2616 disallows CRLF in a header value.