lib/pitchfork/http_response.rb in pitchfork-0.10.0 vs lib/pitchfork/http_response.rb in pitchfork-0.11.0

@@ -12,22 +12,30 @@
   # is the job of Rack, with the exception of the "Date" and "Status" header.
   module HttpResponse
     STATUS_CODES = defined?(Rack::Utils::HTTP_STATUS_CODES) ?
                    Rack::Utils::HTTP_STATUS_CODES : {}
 
+    ILLEGAL_HEADER_VALUE = /[\x00-\x08\x0A-\x1F]/
+
     # internal API, code will always be common-enough-for-even-old-Rack
     def err_response(code, response_start_sent)
       "#{response_start_sent ? '' : 'HTTP/1.1 '}" \
         "#{code} #{STATUS_CODES[code]}\r\n\r\n"
     end
 
     def append_header(buf, key, value)
       case value
       when Array # Rack 3
-        value.each { |v| buf << "#{key}: #{v}\r\n" }
+        value.each do |v|
+          next if ILLEGAL_HEADER_VALUE.match?(v)
+          buf << "#{key}: #{v}\r\n"
+        end
       when /\n/ # Rack 2
         # avoiding blank, key-only cookies with /\n+/
-        value.split(/\n+/).each { |v| buf << "#{key}: #{v}\r\n" }
+        value.split(/\n+/).each do |v|
+          next if ILLEGAL_HEADER_VALUE.match?(v)
+          buf << "#{key}: #{v}\r\n"
+        end
       else
         buf << "#{key}: #{value}\r\n"
       end
     end