Attempt to prevent responses with Transfer-Encoding: chunked

It's probably a bad idea to implement Transfer-Encoding chunked inside an application, since only HTTP/1.1 supports it. However, some applications and frameworks still do so. However, they should only do so if they receive an HTTP/1.1 request, it's certainly a bug in the application to use Transfer-Encoding: chunked for HTTP/1.0 requests. Set SERVER_PROTOCOL and HTTP_VERSION to HTTP/1.0 in requests to try to avoid responses with Transfer-Encoding: chunked. While here, avoid 4 unnecessary hash allocations by using either Hash#merge! instead of #merge, or using Hash#[]= instead of allocating a hash to pass to Hash#update.
rack · May 2, 2022 · a68ea95 · a68ea95
1 parent 19c1eab
commit a68ea95
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 3 deletions.
diff --git a/lib/rack/test.rb b/lib/rack/test.rb
@@ -219,11 +219,11 @@ def parse_uri(path, env)
       end
 
       def env_for(uri, env)
-        env = default_env.merge(env)
+        env = default_env.merge!(env)
 
         env['HTTP_HOST'] ||= [uri.host, (uri.port if uri.port != uri.default_port)].compact.join(':')
 
-        env.update('HTTPS' => 'on') if URI::HTTPS === uri
+        env['HTTPS'] = 'on' if URI::HTTPS === uri
         env['HTTP_X_REQUESTED_WITH'] = 'XMLHttpRequest' if env[:xhr]
 
         # TODO: Remove this after Rack 1.1 has been released.
@@ -312,7 +312,7 @@ def digest_auth_configured?
       end
 
       def default_env
-        { 'rack.test' => true, 'REMOTE_ADDR' => '127.0.0.1' }.merge(@env).merge(headers_for_env)
+        { 'rack.test' => true, 'REMOTE_ADDR' => '127.0.0.1', 'SERVER_PROTOCOL' => 'HTTP/1.0', 'HTTP_VERSION' => 'HTTP/1.0' }.merge!(@env).merge!(headers_for_env)
       end
 
       def headers_for_env

diff --git a/spec/rack/test_spec.rb b/spec/rack/test_spec.rb
@@ -29,6 +29,12 @@
       expect(last_request.env['X-Foo']).to eq('bar')
     end
 
+    it 'sets SERVER_PROTOCOL and HTTP_VERSION to HTTP/1.0 by default' do
+      request '/'
+      expect(last_request.env['SERVER_PROTOCOL']).to eq('HTTP/1.0')
+      expect(last_request.env['HTTP_VERSION']).to eq('HTTP/1.0')
+    end
+
     it 'allows HTTP_HOST to be set' do
       request '/', 'HTTP_HOST' => 'www.example.ua'
       expect(last_request.env['HTTP_HOST']).to eq('www.example.ua')