use Test::More tests => 2;
use strict;
use warnings;
use Dancer::Response;
use Dancer::Handler::Standalone;
my $r =
Dancer::Response->new(
headers => [ 'Location' => "http://good.com\nLocation: http://evil.com" ],
);
my $res = Dancer::Handler::Standalone->render_response($r);
is_deeply(
$res->[1],
[ 'Location' => "http://good.com\r\n Location: http://evil.com", 'Content-Length' => 0,],
"CRLF injections are not allowed... a space is added to make the second line an RFC-compliant continuation line."
);
$r = Dancer::Response->new(
headers => [
'Content-Length' => 0,
a => "foo\nevil body",
]
);
$res = Dancer::Handler::Standalone->render_response($r);
is $res->[1]->[3], "foo\r\n evil body";