Usernames in the http_URL

Eric Wong normalperson at yhbt.net
Thu Dec 17 20:23:32 EST 2009


Scott Chacon <schacon at gmail.com> wrote:
> I just ran into a stupid client that put the username in the http_URL
> field, making the first line of the HTTP request look like this:
> 
> GET http://username@localhost:8080/mojombo/grit HTTP/1.1
> 
> Unicorn 500s on this, saying it can't parse the headers.  I'm
> including a unit test that will die on this, but my question is should
> Unicorn handle this gracefully by just stripping off the username -
> parsing it as a 'server' instead of a 'host'?  It seems that most
> other webservers do, even though it doesn't appear to be the spec.

Hi Scott,

Other servers (Mongrel) fell back to URI.parse which allowed this.
Since Mongrel allowed it (possibly on accident), Unicorn should probably
allow it, too...

The following change should fix things for you, but I'm not sure about
the list of allowed characters for the user and don't have time to check
the RFCs right now.  Which client is doing this?  Any hope of fixing it
there?  But yeah, definitely not in rfc2616 from what I remember.

Also scp-ed the C source up to
http://unicorn.bogomips.org/unicorn_parser.c in case you don't have
Ragel.

diff --git a/ext/unicorn_http/unicorn_http_common.rl b/ext/unicorn_http/unicorn_http_common.rl
index 041dfec..4842972 100644
--- a/ext/unicorn_http/unicorn_http_common.rl
+++ b/ext/unicorn_http/unicorn_http_common.rl
@@ -28,6 +28,7 @@
   scheme = ( "http"i ("s"i)? ) $downcase_char >mark %scheme;
   hostname = (alnum | "-" | "." | "_")+;
   host_with_port = (hostname (":" digit*)?) >mark %host;
+  user = ((alnum | "_" | ".")+ "@")*;
 
   path = ( pchar+ ( "/" pchar* )* ) ;
   query = ( uchar | reserved )* %query_string ;
@@ -36,7 +37,7 @@
   rel_path = (path? (";" params)? %request_path) ("?" %start_query query)?;
   absolute_path = ( "/"+ rel_path );
   path_uri = absolute_path > mark %request_uri;
-  Absolute_URI = (scheme "://" host_with_port path_uri);
+  Absolute_URI = (scheme "://" user host_with_port path_uri);
 
   Request_URI = ((absolute_path | "*") >mark %request_uri) | Absolute_URI;
   Fragment = ( uchar | reserved )* >mark %fragment;

-- 
Eric Wong


More information about the mongrel-unicorn mailing list