[Mongrel] Bare carriage returns in HTTP headers

Jonathan Rochkind rochkind at jhu.edu
Tue Mar 24 12:15:51 EDT 2009

"Be liberal in what you accept, and conservative in what you send."

Sadly (to my perspective), this is definitely not the philosophy of 
Mongrel, and the mongrel development 'community' (does it exist?) is not 
partial to it.

I've run into other malformed HTTP requests in other circumstances, and 
the solution I ended up with was using Apache rewrite maps to "fix" 
those malformed requests before they even get to mongrel.  I'm not sure 
if that solution would work for this particular error, but sounds like 
you've found another one.

I wouldn't hold my breath for that patch to be incorporated in mongrel 
though, the mongrel philosophy seems to be to be conservative in what it 


Dido Sevilla wrote:
> I've been using Mongrel for a while to write bare HTTP servlets as a
> replacement for webrick and encountered an HTTP client using the
> servlet that for some reason occasionally embeds carriage return
> characters ('\r', 0x0d) inside the value fields of message headers.
> Mongrel doesn't like that, and aborts the request with a parse error.
> I'm not sure if this is strictly permitted by RFC 2616, but at any
> rate, changing Mongrel to accept these kinds of HTTP headers was a
> single character change in the Ragel parser, viz.:
> *** START OF PATCH ***
> Index: http11_parser_common.rl
> ===================================================================
> --- http11_parser_common.rl	(revision 1037)
> +++ http11_parser_common.rl	(working copy)
> @@ -46,7 +46,7 @@
>    field_value = any* >start_value %write_value;
> -  message_header = field_name ":" " "* field_value :> CRLF;
> +  message_header = field_name ":" " "* field_value :>> CRLF;
>    Request = Request_Line ( message_header )* ( CRLF @done );
> *** END OF PATCH ***
> All that was necessary was to simply change the regular expression in
> the Ragel parser to use a finish-guarded concatenation operator
> instead of an entry-guarded one as in the original. From a cursory
> reading of RFC 2616 I don't see that a carriage return character there
> should be illegal, but as Jon Postel was once quoted as saying: "Be
> liberal in what you accept, and conservative in what you send."

More information about the Mongrel-users mailing list