Issue #14071 has been updated by phluid61 (Matthew Kerwin).


dgames (Dax Games) wrote:
> 
> I think this code is overly critical of '\r\n' since it is actually erroring out on what is valid to separate header elements.  The method itself is using this same separator.

That's like saying you should allow quotation marks in a string, because you're hacking the string to actually be two strings.  It bans the "\r\n" characters specifically because they're separators, they can't be part of the *value*.

I think perhaps what you'd like to request, instead, is the ability to define the way multiple header fields with the same name are sent in a HTTP message.  Here's a straw-man idea:

```ruby
h1.always_concatenate!
h1['foo'] = 'bar, baz'
h1['foo'] = 'qux'

# =>
#
# Foo: bar, baz, qux
#

h2.never_concatenate!
h2['foo'] = 'bar, baz'
h2['foo'] = 'qux'

# =>
#
# Foo: bar, baz
# Foo: qux
#
```

That is definitely a separate feature request, though.

----------------------------------------
Bug #14071: HTTP Header requiring dual authorization fails with 'header field value cannot include CR/LF'
https://bugs.ruby-lang.org/issues/14071#change-67670

* Author: dgames (Dax Games)
* Status: Third Party's Issue
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: ruby 2.4.2p198 (2017-09-14 revision 59899) [x86_64-linux]
* Backport: 2.3: UNKNOWN, 2.4: UNKNOWN
----------------------------------------
Not sure if this is a bug or not but I know where it was introduced and when it worked.

ruby 2.3.1p112 (Code Works)
ruby 2.3.4p301 (Code Works)
ruby 2.3.5p376 (Code Fails)
ruby 2.4.1p111 (Code Works)
ruby 2.4.2p198 (Code Fails)


My code that works - (Depending on Ruby version - see above versions of ruby for pass fail status):

# Start Working Code

```ruby
        url = my_url + "/PasswordVault/WebServices/PIMServices.svc/Accounts?Safe=" + safe
        url += "&Keywords=" + keywords if ! keywords.nil?

        uri = URI.parse(url)

        http = Net::HTTP.new(uri.host, uri.port)
        http.use_ssl = true

        request = Net::HTTP::Get.new(url)

        request["authorization"] = "Bearer #{pf_token}\r\nAuthorization: #{ck_token}"
        request["oauth_clientid"] = pf_credentials['client_id']
        request["content-type"] = 'application/json'

        # Send the request
        http.set_debug_output $stderr
        res = http.request(request)
 ```

I am no expert and the code above may be a hack but it works on sites where dual authentication is required, at least with some versions of Ruby.  I came to this solution by inspecting the http request by setting '`http.set_debug_output $stderr`' and saw that header elements are separate by '\r\n'


This curl command works:

```
curl -X GET 'https://xxxx/PasswordVault/WebServices/PIMServices.svc/Accounts?Safe=Safe1' -H 'authorization: Bearer xxxxxxxxxxxxxxxxxxx' -H 'authorization: YYYYYYYYYYY' -H 'content-type: application/json' -H 'oauth_clientid: clientid1'
```

The above code fails with 'header field value cannot include CR/LF' in:

ruby 2.3.5p376
ruby 2.4.2p198 

This was most recently was re-introduced by this commit: https://github.com/ruby/ruby/commit/427f5b57135fa165990f87c93658fafbe070289f


I have tried the following on the newer failing version of Ruby but these also fail with `#<Net::HTTPUnauthorized:0x0000000003183780> => "1012116 - Invalid token."`

# Start Failing Code
```ruby
        url = my_url + "/PasswordVault/WebServices/PIMServices.svc/Accounts?Safe=" + safe
        url += "&Keywords=" + keywords if ! keywords.nil?

        uri = URI.parse(url)

        http = Net::HTTP.new(uri.host, uri.port)
        http.use_ssl = true

        request = Net::HTTP::Get.new(url)

        request["authorization"] = ["Bearer #{pf_token}",  ck_token]
        request["oauth_clientid"] = pf_credentials['client_id']
        request["content-type"] = 'application/json'

        # Send the request
        http.set_debug_output $stderr
        res = http.request(request)
```

and this:

```ruby
        url = my_url + "/PasswordVault/WebServices/PIMServices.svc/Accounts?Safe=" + safe
        url += "&Keywords=" + keywords if ! keywords.nil?

        uri = URI.parse(url)

        http = Net::HTTP.new(uri.host, uri.port)
        http.use_ssl = true

        request = Net::HTTP::Get.new(url)

        request.add_field("authorization", "Bearer #{pf_token}")
        request.add_field("authorization", ck_token)
        request.add_field("oauth_clientid", pf_credentials['client_id'])
        request.add_field("content-type", 'application/json')

        # Send the request
        http.set_debug_output $stderr
        res = http.request(request)
```

Another variation also fails in all versions with `"undefined method `strip' for #<Array:0x00000000034ad910>"`

```ruby
        url = my_url + "/PasswordVault/WebServices/PIMServices.svc/Accounts?Safe=" + safe
        url += "&Keywords=" + keywords if ! keywords.nil?

        uri = URI.parse(url)

        http = Net::HTTP.new(uri.host, uri.port)
        http.use_ssl = true

        header = {
          'authorization' => ["Bearer #{pf_token}", "#{ck_token}"],
          'oauth_clientid' => pf_credentials['client_id'],
          'content-type' => 'application/json'
        }

        # Send the request
       
        http.set_debug_output $stderr
        res = http.request_get(uri.path, header)      
```





-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>