[Mongrel] Bare carriage returns in HTTP headers

Dido Sevilla dido.sevilla at gmail.com
Tue Mar 24 00:23:34 EDT 2009

I've been using Mongrel for a while to write bare HTTP servlets as a
replacement for webrick and encountered an HTTP client using the
servlet that for some reason occasionally embeds carriage return
characters ('\r', 0x0d) inside the value fields of message headers.
Mongrel doesn't like that, and aborts the request with a parse error.
I'm not sure if this is strictly permitted by RFC 2616, but at any
rate, changing Mongrel to accept these kinds of HTTP headers was a
single character change in the Ragel parser, viz.:


Index: http11_parser_common.rl
--- http11_parser_common.rl	(revision 1037)
+++ http11_parser_common.rl	(working copy)
@@ -46,7 +46,7 @@

   field_value = any* >start_value %write_value;

-  message_header = field_name ":" " "* field_value :> CRLF;
+  message_header = field_name ":" " "* field_value :>> CRLF;

   Request = Request_Line ( message_header )* ( CRLF @done );

*** END OF PATCH ***

All that was necessary was to simply change the regular expression in
the Ragel parser to use a finish-guarded concatenation operator
instead of an entry-guarded one as in the original. From a cursory
reading of RFC 2616 I don't see that a carriage return character there
should be illegal, but as Jon Postel was once quoted as saying: "Be
liberal in what you accept, and conservative in what you send."


More information about the Mongrel-users mailing list