Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Validate header names according to RFC 2616

Header name validation rules are too strict. RFC 2616 allows any ASCII character save from 0-32, 127, "(", ")", "<", ">", "@", ",", ";", ":", "\", <">, "/", "[", "]", "?", "=" and "{", "}".
  • Loading branch information...
commit facb3a67453fff50cfb89f493779b03c22e6a4c3 1 parent 0722c99
@novemberborn novemberborn authored Ben Symonds committed
Showing with 5 additions and 17 deletions.
  1. +1 −3 SPEC
  2. +2 −5 lib/rack/lint.rb
  3. +2 −9 test/spec_lint.rb
View
4 SPEC
@@ -202,9 +202,7 @@ server, and must not be sent back to the client.
The header keys must be Strings.
The header must not contain a +Status+ key,
contain keys with <tt>:</tt> or newlines in their name,
-contain keys names that end in <tt>-</tt> or <tt>_</tt>,
-but only contain keys that consist of
-letters, digits, <tt>_</tt> or <tt>-</tt> and start with a letter.
+but only contain keys that match the token rule according to RFC 2616.
The values of the header must be Strings,
consisting of lines (for multiple header values, e.g. multiple
<tt>Set-Cookie</tt> values) seperated by "\n".
View
7 lib/rack/lint.rb
@@ -574,11 +574,8 @@ def check_headers(header)
assert("header must not contain Status") { key.downcase != "status" }
## contain keys with <tt>:</tt> or newlines in their name,
assert("header names must not contain : or \\n") { key !~ /[:\n]/ }
- ## contain keys names that end in <tt>-</tt> or <tt>_</tt>,
- assert("header names must not end in - or _") { key !~ /[-_]\z/ }
- ## but only contain keys that consist of
- ## letters, digits, <tt>_</tt> or <tt>-</tt> and start with a letter.
- assert("invalid header name: #{key}") { key =~ /\A[a-zA-Z][a-zA-Z0-9_-]*\z/ }
+ ## The header must match the token rule according to RFC 2616
+ assert("invalid header name: #{key}") { key =~ /\A[\!#\$%&'\*\+-.0-9A-Z\^_`a-z\|~]+\z/ }
## The values of the header must be Strings,
assert("a header value must be a String, but the value of " +
View
11 test/spec_lint.rb
@@ -191,17 +191,10 @@ def result.name
lambda {
Rack::Lint.new(lambda { |env|
- [200, {"Content-" => "text/plain"}, []]
+ [200, {"([{<quark>}])?" => "text/plain"}, []]
}).call(env({}))
}.should.raise(Rack::Lint::LintError).
- message.should.match(/must not end/)
-
- lambda {
- Rack::Lint.new(lambda { |env|
- [200, {"..%%quark%%.." => "text/plain"}, []]
- }).call(env({}))
- }.should.raise(Rack::Lint::LintError).
- message.should.equal("invalid header name: ..%%quark%%..")
+ message.should.equal("invalid header name: ([{<quark>}])?")
lambda {
Rack::Lint.new(lambda { |env|
Please sign in to comment.
Something went wrong with that request. Please try again.