[Mongrel] Invalid HTTP format, parsing fails

Zed Shaw zedshaw at zedshaw.com
Fri Aug 25 19:34:16 EDT 2006


On Fri, 2006-08-25 at 15:49 -0400, Ross Singer wrote:
> While I agree with this fundamentally, pragmatically this is an
> unrealistic expectation.  I get this vendor to fix it, another vendor
> pops up with another dumb unescaped character.
> 
It's most likely not a problem with unescaped characters but something
else (I won't know until you send me the logs).

> You can type these characters into the query string on IE or Safari
> and get the same result, it wouldn't have to be vendor provided. 

Well, this is the problem:  almost all security attacks against web
servers take advantage of how loose they interpret the protocol in order
to handle user errors that really the browser should be dealing with.

If you think about it, you have two situations:

1) Dumb user typing into a browser -- browser fixes it.
2) Trained programmer writing an API -- follow the RFC.

So the trade-off of being more strict is that a few folks who don't do
either of the above have to go change their interactions.

> I am not 'blaming' anybody.  I'm just pointing out that it's a pretty
> chaotic world and, as a result, it's fairly important that (within
> reason) a webserver can handle the things that are thrown at it.
> 
Yep, that's understandable, but it's also why so many other web servers
get hacked so often.  The HTTP RFC is very complex, and the best way
I've found to deal with it is to use a strict parser.

That being said, the parser has been wrong in the past so shoot me the
logs and I'll look at how to update it.

> My webserver is the one thing that /I/ can control. 

This also bring up another point, not every solution is right for every
job.  Mongrel's the hot thing but I'm the first to suggest another
solution if Mongrel doesn't work out, and have many times told people to
not adopt Mongrel if they've got something that works.

If fcgi works then stick with it.  Another option you might like is
litespeed:

http://litespeedtech.com/community/wiki/doku.php?id=litespeed_wiki:ruby_rails

It's fast, commercial, has support, pretty easy to setup and they do
fast work.


-- 
Zed A. Shaw
http://www.zedshaw.com/
http://mongrel.rubyforge.org/
http://www.lingr.com/room/3yXhqKbfPy8 -- Come get help.



More information about the Mongrel-users mailing list