From 5cf66ebf91b761e43c09b9be6fb9d1f6f9d59dc1 Mon Sep 17 00:00:00 2001
From: Brian White <mscdex@mscdex.net>
Date: Mon, 28 Dec 2015 18:41:34 -0500
Subject: [PATCH] http: fix non-string header value concatenation

Since headers are stored in an empty literal object ({}) instead
of an object created with Object.create(null), care must be taken
with property names inherited from Object. Currently there are
only functions inherited, so we can safely check for existing
strings instead.

Fixes: https://github.com/nodejs/node/issues/4456
PR-URL: https://github.com/nodejs/node/pull/4460
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Minwoo Jung <jmwsoft@gmail.com>
---
 lib/_http_incoming.js                          | 2 +-
 test/parallel/test-http-server-multiheaders.js | 6 +++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/lib/_http_incoming.js b/lib/_http_incoming.js
index e16f198dba71bd..4f001041f8af89 100644
--- a/lib/_http_incoming.js
+++ b/lib/_http_incoming.js
@@ -159,7 +159,7 @@ IncomingMessage.prototype._addHeaderLine = function(field, value, dest) {
 
     default:
       // make comma-separated list
-      if (dest[field] !== undefined) {
+      if (typeof dest[field] === 'string') {
         dest[field] += ', ' + value;
       } else {
         dest[field] = value;
diff --git a/test/parallel/test-http-server-multiheaders.js b/test/parallel/test-http-server-multiheaders.js
index 7033ef8e7079f2..99d72988479928 100644
--- a/test/parallel/test-http-server-multiheaders.js
+++ b/test/parallel/test-http-server-multiheaders.js
@@ -16,6 +16,7 @@ var srv = http.createServer(function(req, res) {
   assert.equal(req.headers['x-bar'], 'banjo, bango');
   assert.equal(req.headers['sec-websocket-protocol'], 'chat, share');
   assert.equal(req.headers['sec-websocket-extensions'], 'foo; 1, bar; 2, baz');
+  assert.equal(req.headers['constructor'], 'foo, bar, baz');
 
   res.writeHead(200, {'Content-Type' : 'text/plain'});
   res.end('EOF');
@@ -48,7 +49,10 @@ srv.listen(common.PORT, function() {
       ['sec-websocket-protocol', 'share'],
       ['sec-websocket-extensions', 'foo; 1'],
       ['sec-websocket-extensions', 'bar; 2'],
-      ['sec-websocket-extensions', 'baz']
+      ['sec-websocket-extensions', 'baz'],
+      ['constructor', 'foo'],
+      ['constructor', 'bar'],
+      ['constructor', 'baz'],
     ]
   });
 });