Multiple HTTP message-header fields are not properly represented in HTTPRequest.environ

Bug #142565 reported by Abel Deuring
2
Affects Status Importance Assigned to Milestone
Zope 2
Invalid
Low
Unassigned

Bug Description

RFC 2616 (HTTP 1.1) allows multiple header lines with the same header name (see RFC2616, section 4.2), but only the first of these lines is copied into ZPublisher.HTTPRequest.environ.

Example: Access a Zope server through a "client-side proxy" like squid and through Pound, run as a revers proxy in front of Zope. Squid inserts the HTTP header line

> X-Forwarded-for: 1.2.3.4

and Pound appends the line

> X-Forwarded-for: 2.3.4.5

to the request header.

but the output of <dtml-var REQUEST> will only show

> HTTP_X_FORWARDED_FOR '1.2.3.4'

Since the header fields are stored in a dictionary, the two header lines must be merged into one line.

This can be done in ZServer.HTTPServer.zhttp_handler.get_environment. The last lines of this method are (line 237 in HTTPServer.py):

> env_has=env.has_key
> for header in request.header:
> key,value=header.split(":",1)
> key=key.lower()
> value=value.strip()
> if h2ehas(key) and value:
> env[h2eget(key)]=value
> else:
> key='HTTP_%s' % ("_".join(key.split( "-"))).upper()
> if value and not env_has(key):
> env[key]=value
> env.update(self.env_override)
> return env

Changing the last lines to

> if value and not env_has(key):
> env[key]=value
> else:
> env[key] += ', ' + value
> env.update(self.env_override)
> return env

stores all header data int he environment dictionary.

Tags: bug zope
Revision history for this message
Sascha Ottolski (so-gallileus) wrote :

I would like to this fixed, too, but I think this should happen already in medusa/http_server.py.

Wouldn't the join_headers() function be a good place to do so? IMO, it could build a header-cache along the way, which in turn could relieve all these get_header_*() methods with their many "for line in header" loops.

Would this make sense?

Tres Seaver (tseaver)
Changed in zope2:
status: New → Triaged
Revision history for this message
Colin Watson (cjwatson) wrote :

The zope2 project on Launchpad has been archived at the request of the Zope developers (see https://answers.launchpad.net/launchpad/+question/683589 and https://answers.launchpad.net/launchpad/+question/685285). If this bug is still relevant, please refile it at https://github.com/zopefoundation/zope2.

Changed in zope2:
status: Triaged → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.