Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTP headers can be duplicated #380

Open
fatboychummy opened this issue Oct 15, 2024 · 0 comments
Open

HTTP headers can be duplicated #380

fatboychummy opened this issue Oct 15, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@fatboychummy
Copy link

fatboychummy commented Oct 15, 2024
edited
Loading

Summary

When an HTTP request is made to a server, the server can respond with multiple headers under the same name. However, CraftOS-PC only allows one header per name to be received, and does not concatenate the values of multiple headers into a list. This means that if a server sends multiple, say, Set-Cookie headers, only the last one will be received by the client.

This is problematic if you are trying to authenticate with some external service, and the service responds with multiple cookies. The client will only receive the last cookie, and thus may or may not be able to authenticate properly.

For a test case, I tossed together the following short python script:

from http.server import BaseHTTPRequestHandler, HTTPServer

class TestServer(BaseHTTPRequestHandler):
    def do_GET(self):
        self.send_response(200)
        self.send_header('Content-type', 'text/html')

        # Set multiple test "cookies"
        self.send_header('Set-Cookie', 'test1=1; Path=/; HttpOnly')
        self.send_header('Set-Cookie', 'test2=2; Path=/; HttpOnly')
        self.end_headers()

        self.wfile.write(b'<html><body><h1>Hello world!</h1></body></html>')

# Server settings
PORT = 8000
server_address = ('', PORT)
httpd = HTTPServer(server_address, TestServer)
print(f'Starting server on port {PORT}')
httpd.serve_forever()

When I run this server and make a request to it from CraftOS-PC, I only receive the last Set-Cookie header (test2=2; Path=/; HttpOnly), and not both. According to RFC 9110: HTTP Semantics, section 5.2, multiple headers with the same name should be treated as a list of values, and not as separate headers.
This does unfortunately break down a slight bit for the Set-Cookie header, as commas can appear in the cookie body, but CC:Tweaked itself handles it in this way so it should be fine. Maybe.

Expected behavior

When multiple headers with the same name are received, they should be concatenated into a list of values, rather than only the last one being received.

Actual behavior

Only the last header with a given name is received, and the values of multiple headers are not concatenated into a list.

Other information

Here is an image showing the difference between CraftOS-PC and CC:Tweaked when receiving multiple headers, you can see that CC:Tweaked receives both headers, while CraftOS-PC only receives the last one:

image
@fatboychummy fatboychummy added the bug Something isn't working label Oct 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@fatboychummy