# Test that header generation is spec compliant.
# References:
# http://www.w3.org/Protocols/rfc2616/rfc2616.html
# http://www.w3.org/Protocols/rfc822/3_Lexical.html
use strict;
use warnings;
use Test::More 'no_plan';
use CGI::Simple;
my $cgi = CGI::Simple->new;
like $cgi->header( -type => "text/html" ),
qr#Type: text/html#, 'known header, basic case: type => "text/html"';
eval {
like $cgi->header(
-type => "text/html" . $cgi->crlf . "evil: stuff" ),
qr#Type: text/html evil: stuff#, 'known header';
};
like( $@, qr/contains a newline/, 'invalid header blows up' );
like $cgi->header(
-type => "text/html" . $cgi->crlf . " evil: stuff " ),
qr#Content-Type: text/html evil: stuff#,
'known header, with leading and trailing whitespace on the continuation line';
eval {
like $cgi->header(
-foobar => "text/html" . $cgi->crlf . "evil: stuff" ),
qr#Foobar: text/htmlevil: stuff#, 'unknown header';
};
like(
$@,
qr/contains a newline/,
'unknown header with CRLF embedded blows up'
);
like $cgi->header( -foobar => "Content-type: evil/header" ),
qr#^Foobar: Content-type: evil/header#m,
'unknown header with leading newlines';
eval {
like $cgi->redirect(
-type => "text/html" . $cgi->crlf . "evil: stuff" ),
qr#Type: text/htmlevil: stuff#, 'redirect w/ known header';
};
like(
$@,
qr/contains a newline/,
'redirect with known header with CRLF embedded blows up'
);
eval {
like $cgi->redirect(
-foobar => "text/html" . $cgi->crlf . "evil: stuff" ),
qr#Foobar: text/htmlevil: stuff#, 'redirect w/ unknown header';
};
like(
$@,
qr/contains a newline/,
'redirect with unknown header with CRLF embedded blows up'
);
eval {
like $cgi->redirect(
$cgi->crlf . $cgi->crlf . "Content-Type: text/html" ),
qr#Location: Content-Type#, 'redirect w/ leading newline ';
};
like(
$@,
qr/contains a newline/,
'redirect with leading newlines blows up'
);