[Mongrel] Bare carriage returns in HTTP headers

Eric Wong normalperson at yhbt.net
Thu Mar 26 14:42:40 EDT 2009


Dido Sevilla <dido.sevilla at gmail.com> wrote:
> On Wed, Mar 25, 2009 at 12:15 AM, Jonathan Rochkind <rochkind at jhu.edu> wrote:
> > I've run into other malformed HTTP requests in other circumstances, and the
> > solution I ended up with was using Apache rewrite maps to "fix" those
> > malformed requests before they even get to mongrel.  I'm not sure if that
> > solution would work for this particular error, but sounds like you've found
> > another one.
> >
> 
> Any hints on how I can do this? Obviously I have no control over what
> hits my HTTP server and must deal with the broken clients as best I
> can. Ironically, modifying the Mongrel parser to work around this
> particular broken HTTP client turned out to be a lot easier than
> sifting through the Apache documentation to find a particular module
> that would do what needed to be done...
> 
> > I wouldn't hold my breath for that patch to be incorporated in mongrel
> > though, the mongrel philosophy seems to be to be conservative in what it
> > accepts.
> 
> Neither do I expect it to get incorporated, in spite of its
> simplicity. The patch does not make me comfortable in the least.
> 
> By the way, if control characters are not allowed in field values, why
> does the regex for field_value in the current SVN source have an any*
> expression rather than a more restrictive class of characters that it
> can accept? That means that we could put some other control character
> there and have Mongrel accept it anyway, in spite of its being
> prohibited by RFC 2616.

Good question.  That's for Zed since he originally created this parser
(but I don't think he wants to be bothered about it anymore).  Zed
probably had his reasons... maybe there are legit/real clients that send
invalid bytes we need to let through.  But "\r" (and "\n") have more
potential to break things than other control chars because it's part of
the delimiter sequence that external libraries/apps may not expect.

My reverse proxy (nginx) rejects header values with "\r" before it ever
gets to Mongrel, however.

-- 
Eric Wong


More information about the Mongrel-users mailing list