From 4ba312fa335b67406890454eb57f20f5051387ae Mon Sep 17 00:00:00 2001
From: Braedon Vickers <braedon.vickers@gmail.com>
Date: Mon, 28 Sep 2020 13:31:58 +0800
Subject: Don't mutate headers dict passed into static_file()

Mutating the passed in dict can produce unexpected results if the caller
re-uses the dict, e.g. uses the same set of headers for multiple files.
---
 bottle.py             |  2 +-
 test/test_sendfile.py | 10 ++++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/bottle.py b/bottle.py
index c13c99e..45e85d1 100755
--- a/bottle.py
+++ b/bottle.py
@@ -2878,7 +2878,7 @@ def static_file(filename, root,
 
     root = os.path.join(os.path.abspath(root), '')
     filename = os.path.abspath(os.path.join(root, filename.strip('/\\')))
-    headers = headers or {}
+    headers = headers.copy() if headers else {}
 
     if not filename.startswith(root):
         return HTTPError(403, "Access denied.")
diff --git a/test/test_sendfile.py b/test/test_sendfile.py
index 622d992..d6693c2 100755
--- a/test/test_sendfile.py
+++ b/test/test_sendfile.py
@@ -142,3 +142,13 @@ class TestSendFile(unittest.TestCase):
         self.assertEqual([(10, 100)], r('bytes=10-'))
         self.assertEqual([(5, 11)],  r('bytes=5-10'))
         self.assertEqual([(10, 100), (90, 100), (5, 11)],  r('bytes=10-,-10,5-10'))
+
+    def test_custom_headers(self):
+        """ SendFile: Custom headers """
+        headers = {'X-Custom-Header': 'test-value'}
+        headers_orig = headers.copy()
+        res = static_file(basename, root=root, headers=headers)
+        self.assertTrue('X-Custom-Header' in res.headers)
+        self.assertEqual('test-value', res.headers['X-Custom-Header'])
+        # Check the passed in headers dict isn't modified.
+        self.assertEqual(headers_orig, headers)
-- 
cgit v1.2.1