Ignore illegal HTTP headers

Fixes: #411
2018-03-04 13:12:36 -08:00 · 2018-03-04 13:12:36 -08:00 · feae6d6ec8
parent 1592ca1148
commit feae6d6ec8
2 changed files with 35 additions and 13 deletions
--- a/src/headers.js
+++ b/src/headers.js
@ -322,3 +322,34 @@ Object.defineProperty(HeadersIteratorPrototype, Symbol.toStringTag, {
 	enumerable: false,
 	configurable: true
 });
+
+/**
+ * Create a Headers object from an object of headers, ignoring those that do
+ * not conform to HTTP grammar productions.
+ *
+ * @param   Object  obj  Object of headers
+ * @return  Headers
+ */
+export function createHeadersLenient(obj) {
+	const headers = new Headers();
+	for (const name of Object.keys(obj)) {
+		if (invalidTokenRegex.test(name)) {
+			continue;
+		}
+		if (Array.isArray(obj[name])) {
+			for (const val of obj[name]) {
+				if (invalidHeaderCharRegex.test(val)) {
+					continue;
+				}
+				if (headers[MAP][name] === undefined) {
+					headers[MAP][name] = [val];
+				} else {
+					headers[MAP][name].push(val);
+				}
+			}
+		} else if (!invalidHeaderCharRegex.test(obj[name])) {
+			headers[MAP][name] = [obj[name]];
+		}
+	}
+	return headers;
+}
--- a/src/index.js
+++ b/src/index.js
@ -7,7 +7,7 @@

 import Body, { writeToStream } from './body';
 import Response from './response';
-import Headers from './headers';
+import Headers, { createHeadersLenient } from './headers';
 import Request, { getNodeRequestOptions } from './request';
 import FetchError from './fetch-error';

@ -106,19 +106,10 @@ export default function fetch(url, opts) {
 				return;
 			}

+			const headers = createHeadersLenient(res.headers);
 			// normalize location header for manual redirect mode
-			const headers = new Headers();
-			for (const name of Object.keys(res.headers)) {
-				if (Array.isArray(res.headers[name])) {
-					for (const val of res.headers[name]) {
-						headers.append(name, val);
-					}
-				} else {
-					headers.append(name, res.headers[name]);
-				}
-			}
-			if (request.redirect === 'manual' && headers.has('location')) {
-				headers.set('location', resolve_url(request.url, headers.get('location')));
+			if (request.redirect === 'manual' && headers.has('Location')) {
+				headers.set('Location', resolve_url(request.url, headers.get('Location')));
 			}

 			// prepare response