Check that http header names are case insensitive #1474
Comments
|
The investigation so far suggests that we are using headers in a case insensitive manner. For dstu2 and dstu2016may, we are using org.apache.http.HttpResponse. Internally, this uses case insensitive checks for equality: https://github.com/apache/httpcomponents-core/blob/d1c77bc7f7697548cd83d04ba87a1ec7105da308/httpcore5/src/main/java/org/apache/hc/core5/http/message/HeaderGroup.java#L213 In dstu3, r4, r4b, and r5, we're using OkHttp3, which also uses case insensitive checks for equality: https://github.com/square/okhttp/blob/3afe55cdcdb8dbaa7bd5e3a914e6412cf587d9a1/okhttp/src/commonMain/kotlin/okhttp3/internal/-HeadersCommon.kt#L68 In utilities, we're using MessageHeader, which is dependent on the Java implementation. So far, Temurin 17 indicates it is also case insensitive, and I believe it will likely be the case for all JVMs. (from decompiled code) for (int i = nkeys; --i >= 0;) {
if (k.equalsIgnoreCase(keys[i]))
return values[i];
}What we didn't do in a number of places is stick to lowercase header names in our code. I'm going through those now and changing them all to lowercase, so we are consistent. |
|
so have we sorted this now? |
|
It looks like our libraries are taking care of this for us. I may still try to put in some unit tests to verify their behaviour, but I think it's unlikely they'll regress with regards to this. I would like to keep the issue open as a reminder until I get some of those tests in, but it won't be a high priority. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 5 days if no further activity occurs. Thank you for your contributions. |
HTTP says that HTTP header names are case insensitive, and http/2 mandates lowercase. Check that header names are being used in a case-insensitive fashion
The text was updated successfully, but these errors were encountered: