[Zope] possible bug when creating the request environment (headers)

[Sascha Ottolski]

Hi,

I stumbled over something in conjunction with pound. pound adds an 
X-Forwarded-For header to each request. However, from inside zope, this 
additional header might be invisible. I guess the problem occurs, if 
there already was a X-Forwarded-For header in the request: pound writes 
a new, second one. And it seems, that the REQUEST has only one of the 
two headers (so that REQUEST.get('HTTP_X_FORWARDED_FOR') is missing the 
value pound added).

I already sent this to the pound list, and was told that having multiple 
headers with the same value is allowed, which seems to be correct 
according to RFC2616 (HTTP 1.1):

"Multiple message-header fields with the same field-name MAY be present 
in a message if and only if the entire field-value for that header 
field is defined as a comma-separated list [i.e., #(values)]. It MUST 
be possible to combine the multiple header fields into one "field-name: 
field-value" pair, without changing the semantics of the message, by 
appending each subsequent field-value to the first, each separated by a 
comma. The order in which header fields with the same field-name are 
received is therefore significant to the interpretation of the combined 
field value, and thus a proxy MUST NOT change the order of these field 
values when a message is forwarded."

That said, in case of 
 ...
 X-Forwarded-for: client1, proxy1
 ...
 X-Forwarded-for: proxy2                <-- added by Pound
 ...

zope should create something like this:

 ...
 X-Forwarded-for: client1, proxy1, proxy2
 ...

not only for x-forwareded-for, but for any header around, I guess.

I doubt that it would be difficult to fix. Unfortunately, I couldn't 
find the place where a generic header processing takes place do try 
myself :-(


Cheers,

Sascha