Issue #14071 has been reported by dgames (Dax Games).

----------------------------------------
Bug #14071: HTTP Header requiring dual authorization fails with 'header field value cannot include CR/LF'
https://bugs.ruby-lang.org/issues/14071

* Author: dgames (Dax Games)
* Status: Open
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: ruby 2.4.2p198 (2017-09-14 revision 59899) [x86_64-linux]
* Backport: 2.3: UNKNOWN, 2.4: UNKNOWN
----------------------------------------
Not sure if this is a bug or not but I know where it was introduced and when it worked.

My code that works:

ruby 2.3.1p112
ruby 2.4.1p111
ruby 2.3.4p301

# Start Working Code
        url = my_url + "/PasswordVault/WebServices/PIMServices.svc/Accounts?Safe=" + safe
        url += "&Keywords=" + keywords if ! keywords.nil?

        uri = URI.parse(url)

        http = Net::HTTP.new(uri.host, uri.port)
        http.use_ssl = true

        request = Net::HTTP::Get.new(url)

        request["authorization"] = "Bearer #{pf_token}\r\nAuthorization: #{ck_token}"
        request["oauth_clientid"] = pf_credentials['client_id']
        request["content-type"] = 'application/json'

        # Send the request
        http.set_debug_output $stderr
        res = http.request(request)
 # end working code

Fails with 'header field value cannot include CR/LF' in:

ruby 2.3.5p376
ruby 2.4.2p198 

This was most recently was re-introduced by this commit: https://github.com/ruby/ruby/commit/427f5b57135fa165990f87c93658fafbe070289f

I am no expert and the code above may be a hack but it works on sites where dual authentication is required, at least with some versions of Ruby.  I came to this solution by inspecting the http request by setting 'http.set_debug_output $stderr' and saw that header elements are separate by '\r\n'

I have tried the following on the newer failing version of Ruby but these also fail with #<Net::HTTPUnauthorized:0x0000000003183780> => "1012116 - Invalid token."

# Start Failing Code
        url = my_url + "/PasswordVault/WebServices/PIMServices.svc/Accounts?Safe=" + safe
        url += "&Keywords=" + keywords if ! keywords.nil?

        uri = URI.parse(url)

        http = Net::HTTP.new(uri.host, uri.port)
        http.use_ssl = true

        request = Net::HTTP::Get.new(url)

        request["authorization"] = ["Bearer #{pf_token}",  ck_token]
        request["oauth_clientid"] = pf_credentials['client_id']
[        request["content-type"] = 'application/json'

        # Send the request
        http.set_debug_output $stderr
        res = http.request(request)
# End Failing Code

and this:

# Start Failing Code
        url = my_url + "/PasswordVault/WebServices/PIMServices.svc/Accounts?Safe=" + safe
        url += "&Keywords=" + keywords if ! keywords.nil?

        uri = URI.parse(url)

        http = Net::HTTP.new(uri.host, uri.port)
        http.use_ssl = true

        request = Net::HTTP::Get.new(url)

        request.add_field("authorization", "Bearer #{pf_token}")
        request.add_field("authorization", ck_token)
        request.add_field("oauth_clientid", pf_credentials['client_id'])
        request.add_field("content-type", 'application/json')

        # Send the request
        http.set_debug_output $stderr
        res = http.request(request)
# End Failing Code

Another variation also fails with "undefined method `strip' for #<Array:0x00000000034ad910>"

# Begin Failing Code
        url = my_url + "/PasswordVault/WebServices/PIMServices.svc/Accounts?Safe=" + safe
        url += "&Keywords=" + keywords if ! keywords.nil?

        uri = URI.parse(url)

        http = Net::HTTP.new(uri.host, uri.port)
        http.use_ssl = true

        header = {
          'authorization' => ["Bearer #{pf_token}", "#{ck_token}"],
          'oauth_clientid' => pf_credentials['client_id'],
          'content-type' => 'application/json'
        }

        # Send the request
       
        http.set_debug_output $stderr
        res = http.request_get(uri.path, header)      
#End Failing Code



-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>