[Mongrel] Bare carriage returns in HTTP headers

Dido Sevilla dido.sevilla at gmail.com
Thu Mar 26 03:59:59 EDT 2009

On Wed, Mar 25, 2009 at 12:15 AM, Jonathan Rochkind <rochkind at jhu.edu> wrote:
> I've run into other malformed HTTP requests in other circumstances, and the
> solution I ended up with was using Apache rewrite maps to "fix" those
> malformed requests before they even get to mongrel.  I'm not sure if that
> solution would work for this particular error, but sounds like you've found
> another one.

Any hints on how I can do this? Obviously I have no control over what
hits my HTTP server and must deal with the broken clients as best I
can. Ironically, modifying the Mongrel parser to work around this
particular broken HTTP client turned out to be a lot easier than
sifting through the Apache documentation to find a particular module
that would do what needed to be done...

> I wouldn't hold my breath for that patch to be incorporated in mongrel
> though, the mongrel philosophy seems to be to be conservative in what it
> accepts.

Neither do I expect it to get incorporated, in spite of its
simplicity. The patch does not make me comfortable in the least.

By the way, if control characters are not allowed in field values, why
does the regex for field_value in the current SVN source have an any*
expression rather than a more restrictive class of characters that it
can accept? That means that we could put some other control character
there and have Mongrel accept it anyway, in spite of its being
prohibited by RFC 2616.


More information about the Mongrel-users mailing list