gh-135056: Don't let extra headers overwrite default headers

Author: aisipos

Doc/library/http.server.rst

@@ -406,9 +406,12 @@ instantiation, of which this module provides three different variants:
 
    .. attribute:: extra_response_headers
 
-      A sequence of ``(name, value)`` pairs containing user-defined extra
-      HTTP response headers to add to each successful HTTP status 200 response.
-      These headers are not included in other status code responses.
+      A sequence of ``(name, value)`` pairs containing user-defined extra HTTP
+      response headers to add to each successful HTTP status 200 response. These
+      headers are not included in other status code responses.
+
+      Headers that the server sends automatically (for instance Content-Type)
+      will not be overwritten by extra_response_headers.
 
    The :class:`SimpleHTTPRequestHandler` class defines the following methods:
 
@@ -564,7 +567,8 @@ The following options are accepted:
 
    Specify an additional extra HTTP Response Header to send on successful HTTP
    200 responses. Can be used multiple times to send additional custom response
-   headers.
+   headers. Headers that are sent automatically by the server (for instance
+   Content-Type) will not be overwriten by the server.
 
    .. versionadded:: next
 

Lib/http/server.py

@@ -466,6 +466,7 @@ def handle_one_request(self):
     def handle(self):
         """Handle multiple requests if necessary."""
         self.close_connection = True
+        self.default_response_headers = []
 
         self.handle_one_request()
         while not self.close_connection:
@@ -551,13 +552,15 @@ def send_response_only(self, code, message=None):
                     (self.protocol_version, code, message)).encode(
                         'latin-1', 'strict'))
 
-    def send_header(self, keyword, value):
+    def send_header(self, keyword, value, is_extra=False):
         """Send a MIME header to the headers buffer."""
         if self.request_version != 'HTTP/0.9':
             if not hasattr(self, '_headers_buffer'):
                 self._headers_buffer = []
             self._headers_buffer.append(
                 ("%s: %s\r\n" % (keyword, value)).encode('latin-1', 'strict'))
+            if not is_extra:
+                self.default_response_headers.append((keyword, value))
 
         if keyword.lower() == 'connection':
             if value.lower() == 'close':
@@ -758,10 +761,12 @@ def do_HEAD(self):
             f.close()
 
     def _send_extra_response_headers(self):
-        """Send the headers stored in self.extra_response_headers."""
+        """Send the headers stored in self.extra_response_headers"""
         if self.extra_response_headers is not None:
             for header, value in self.extra_response_headers:
-                self.send_header(header, value)
+                # Don't send the header if it's already sent as part of the default response headers
+                if header.lower() not in (h.lower() for h, _ in self.default_response_headers):
+                    self.send_header(header, value, is_extra=True)
 
     def send_head(self):
         """Common code for GET and HEAD commands.

Lib/test/test_httpservers.py

@@ -939,6 +939,22 @@ def test_extra_response_headers_missing_on_404(self):
             self.assertEqual(response.status, 404)
             self.assertEqual(response.getheader("X-Test1"), None)
 
+    def test_extra_response_headers_dont_overwrite_default_headers(self):
+        with mock.patch.object(self.request_handler, 'extra_response_headers', [
+            ('Content-Type', 'test/not_allowed'),
+            ('Server', 'not_allowed'),
+            ('Set-Cookie', 'test=allowed'),
+        ]):
+            # The Content-Type header should not be overwritten by the extra_response_headers
+            # But cookies in the extra_allowed_duplicate_headers are allowed,
+            # including Set-Cookie
+            response = self.request(self.base_url + '/')
+            self.assertEqual(response.status, 200)
+            self.assertNotEqual(response.getheader("Content-Type"), 'test/not_allowed')
+            self.assertNotEqual(response.getheader("Server"), 'not_allowed')
+            self.assertEqual(response.getheader("Set-Cookie"), 'test=allowed')
+
+
 
 class SocketlessRequestHandler(SimpleHTTPRequestHandler):
     def __init__(self, directory=None):