Apply suggestion from @kinyoklion

beekld · kinyoklion · web-flow · commit aaff427d8cc8 · 2026-05-28T10:28:58.000-07:00
Co-authored-by: Ryan Lamb &lt;4955475+kinyoklion@users.noreply.github.com&gt;
diff --git a/libs/server-sent-events/src/curl_client.cpp b/libs/server-sent-events/src/curl_client.cpp
@@ -437,12 +437,32 @@ size_t CurlClient::HeaderCallback(char const* buffer,
         // End-of-headers terminator: emit and reset.
         context->response(std::move(context->current_response));
         context->current_response = http::response_header<>{};
+    // Strip the line terminator. Allow bare LF or bare CR per RFC 9112 §2.2;
+    // libcurl preserves the original wire bytes for HTTP/1.x (only HTTP/2
+    // synthesizes CRLF), so a non-compliant origin can deliver bare LF here.
+    while (!line.empty() &&
+           (line.back() == '\r' || line.back() == '\n')) {
+        line.remove_suffix(1);
+    }
+
+    if (line.empty()) {
+        // Terminator. If we're between responses (e.g., the line ends a
+        // chunked-transfer trailer block), there's nothing to emit.
+        if (context->reading_headers) {
+            context->response(std::move(context->current_response));
+            context->current_response = http::response_header<>{};
+            context->reading_headers = false;
+        }
         return total_size;
     }
 
     if (line.substr(0, 5) == "HTTP/") {
-        // Status line: "HTTP/X.Y CODE REASON". Start a fresh response.
-        // Status line: "HTTP/X.Y CODE REASON". Start a fresh response.
+        // Status line: "HTTP/X.Y CODE REASON". Only legitimate before any
+        // header has been seen for this response — an interior HTTP/ line
+        // would otherwise wipe accumulated state.
+        if (context->reading_headers) {
+            return total_size;
+        }
         // Beast default-constructs result_ to status::ok (200); reset to 0
         // so an unparseable status line surfaces as result_int() == 0.
         context->current_response = http::response_header<>{};
@@ -452,10 +472,19 @@ size_t CurlClient::HeaderCallback(char const* buffer,
             unsigned code = 0;
             auto const result = std::from_chars(
                 line.data() + code_start + 1, line.data() + line.size(), code);
-            if (result.ec == std::errc{} && code != 0) {
+            // Three-digit status per RFC 7231 §6; the tight bound avoids
+            // result(unsigned) throwing across the libcurl C frame.
+            if (result.ec == std::errc{} && code >= 100 && code <= 999) {
                 context->current_response.result(code);
             }
         }
+        context->reading_headers = true;
+        return total_size;
+    }
+
+    if (!context->reading_headers) {
+        // Header line received outside an active response — chunked trailer
+        // or protocol-level junk. Ignore.
         return total_size;
     }
 
@@ -472,7 +501,9 @@ size_t CurlClient::HeaderCallback(char const* buffer,
                (value.back() == ' ' || value.back() == '\t')) {
             value.remove_suffix(1);
         }
-        context->current_response.set(std::string(name), std::string(value));
+        // insert() preserves duplicate-name headers (Set-Cookie, Via, …);
+        // set() would collapse them and diverge from the Foxy backend.
+        context->current_response.insert(std::string(name), std::string(value));
 
         if (beast::iequals(name, "Content-Type") &&
             value.find("text/event-stream") == std::string_view::npos) {
