Set-Cookie headers should not be combined (#8611)

Motivation: According to the HTTP spec set-cookie headers should not be combined because they are not using the list syntax. Modifications: Do not combine set-cookie headers. Result: Set-Cookie headers won't be combined anymore
2018-12-01 20:47:18 +11:00 · 2018-12-01 20:47:18 +11:00 · 849bdc8a84
commit 849bdc8a84
parent 0ecd0c6ff3
2 changed files with 58 additions and 3 deletions
--- a/codec-http/src/main/java/io/netty/handler/codec/http/CombinedHttpHeaders.java
+++ b/codec-http/src/main/java/io/netty/handler/codec/http/CombinedHttpHeaders.java
@ -26,6 +26,7 @@ import java.util.Iterator;
 import java.util.List;
 import java.util.Map;

+import static io.netty.handler.codec.http.HttpHeaderNames.SET_COOKIE;
 import static io.netty.util.AsciiString.CASE_INSENSITIVE_HASHER;
 import static io.netty.util.internal.StringUtil.COMMA;
 import static io.netty.util.internal.StringUtil.unescapeCsvFields;
@ -87,7 +88,7 @@ public class CombinedHttpHeaders extends DefaultHttpHeaders {
        @Override
        public Iterator<CharSequence> valueIterator(CharSequence name) {
            Iterator<CharSequence> itr = super.valueIterator(name);
-            if (!itr.hasNext()) {
+            if (!itr.hasNext() || cannotBeCombined(name)) {
                return itr;
            }
            Iterator<CharSequence> unescapedItr = unescapeCsvFields(itr.next()).iterator();
@ -100,7 +101,7 @@ public class CombinedHttpHeaders extends DefaultHttpHeaders {
        @Override
        public List<CharSequence> getAll(CharSequence name) {
            List<CharSequence> values = super.getAll(name);
-            if (values.isEmpty()) {
+            if (values.isEmpty() || cannotBeCombined(name)) {
                return values;
            }
            if (values.size() != 1) {
@ -213,9 +214,13 @@ public class CombinedHttpHeaders extends DefaultHttpHeaders {
            return this;
        }

+        private static boolean cannotBeCombined(CharSequence name) {
+            return SET_COOKIE.contentEqualsIgnoreCase(name);
+        }
+
        private CombinedHttpHeadersImpl addEscapedValue(CharSequence name, CharSequence escapedValue) {
            CharSequence currentValue = super.get(name);
-            if (currentValue == null) {
+            if (currentValue == null || cannotBeCombined(name)) {
                super.add(name, escapedValue);
            } else {
                super.set(name, commaSeparateEscapedValues(currentValue, escapedValue));
--- a/codec-http/src/test/java/io/netty/handler/codec/http/CombinedHttpHeadersTest.java
+++ b/codec-http/src/test/java/io/netty/handler/codec/http/CombinedHttpHeadersTest.java
@ -22,9 +22,12 @@ import java.util.Arrays;
 import java.util.Collections;
 import java.util.Iterator;

+import static io.netty.handler.codec.http.HttpHeaderNames.SET_COOKIE;
 import static io.netty.util.AsciiString.contentEquals;
+import static org.hamcrest.Matchers.hasSize;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertThat;
 import static org.junit.Assert.assertTrue;

 public class CombinedHttpHeadersTest {
@ -66,6 +69,28 @@ public class CombinedHttpHeadersTest {
        assertEquals("a,b,c", headers.get(HEADER_NAME).toString());
    }

+    @Test
+    public void dontCombineSetCookieHeaders() {
+        final CombinedHttpHeaders headers = newCombinedHttpHeaders();
+        headers.add(SET_COOKIE, "a");
+        final CombinedHttpHeaders otherHeaders = newCombinedHttpHeaders();
+        otherHeaders.add(SET_COOKIE, "b");
+        otherHeaders.add(SET_COOKIE, "c");
+        headers.add(otherHeaders);
+        assertThat(headers.getAll(SET_COOKIE), hasSize(3));
+    }
+
+    @Test
+    public void dontCombineSetCookieHeadersRegardlessOfCase() {
+        final CombinedHttpHeaders headers = newCombinedHttpHeaders();
+        headers.add("Set-Cookie", "a");
+        final CombinedHttpHeaders otherHeaders = newCombinedHttpHeaders();
+        otherHeaders.add("set-cookie", "b");
+        otherHeaders.add("SET-COOKIE", "c");
+        headers.add(otherHeaders);
+        assertThat(headers.getAll(SET_COOKIE), hasSize(3));
+    }
+
    @Test
    public void setCombinedHeadersWhenNotEmpty() {
        final CombinedHttpHeaders headers = newCombinedHttpHeaders();
@ -274,6 +299,15 @@ public class CombinedHttpHeadersTest {
        assertEquals(Arrays.asList("a,b,c"), headers.getAll(HEADER_NAME));
    }

+    @Test
+    public void getAllDontCombineSetCookie() {
+        final CombinedHttpHeaders headers = newCombinedHttpHeaders();
+        headers.add(SET_COOKIE, "a");
+        headers.add(SET_COOKIE, "b");
+        assertThat(headers.getAll(SET_COOKIE), hasSize(2));
+        assertEquals(Arrays.asList("a", "b"), headers.getAll(SET_COOKIE));
+    }
+
    @Test
    public void owsTrimming() {
        final CombinedHttpHeaders headers = newCombinedHttpHeaders();
@ -314,6 +348,22 @@ public class CombinedHttpHeadersTest {
        assertValueIterator(headers.valueCharSequenceIterator(HEADER_NAME));
    }

+    @Test
+    public void nonCombinableHeaderIterator() {
+        final CombinedHttpHeaders headers = newCombinedHttpHeaders();
+        headers.add(SET_COOKIE, "c");
+        headers.add(SET_COOKIE, "b");
+        headers.add(SET_COOKIE, "a");
+
+        final Iterator<String> strItr = headers.valueStringIterator(SET_COOKIE);
+        assertTrue(strItr.hasNext());
+        assertEquals("a", strItr.next());
+        assertTrue(strItr.hasNext());
+        assertEquals("b", strItr.next());
+        assertTrue(strItr.hasNext());
+        assertEquals("c", strItr.next());
+    }
+
    private static void assertValueIterator(Iterator<? extends CharSequence> strItr) {
        assertTrue(strItr.hasNext());
        assertEquals("a", strItr.next());