[Mongrel] Bare carriage returns in HTTP headers

Jonathan Rochkind rochkind at jhu.edu
Thu Mar 26 16:34:14 EDT 2009

Yes, my vendor is really that brain-damaged.  Yes, I have told them 
that. But I'm not absolutely sure if my vendor ever sends those, it was 
< and > that I identified, but as long as I was writing the code, and 
had been told that mongrel insisted on absolute legal URIs and if it 
wasn't legal by the standard I shouldn't expect mongrel to do anything 
but refuse it--I might as well catch anything else that could make an 
illegal URI.  But actually, yeah, what they are doing is putting 
unescaped _xml_ fragments in a url query string. &foo=<foo>bar</foo>.  
So yeah, a backslash will be in a query string too.

Interesting to me that mongrel no longer chokes on these, since when it 
was brought up before I was told that there was no way no how that 
mongrel was ever going to do anything but choke on them. :)  If I can 
find my test cases from my vendor around, I'll see if current mongrels 
no longer need my workaround, even though you guys told me that would 
never ever happen.  But I run latest ruby gem release, I don't run from 
svn trunk.


Eric Wong wrote:
> Jonathan Rochkind <rochkind at jhu.edu> wrote:
>> My problem was with invalid query strings being sent to me by a vendor,  
>> not with problems in the header. So it won't be _exactly_ the same. I'm  
>> not sure if an apache rewrite map can change headers or not; it can  
>> change path/query string, which is all I needed. But I can show you what  
>> I did, in case it gives you ideas. It was a bit of a pain to figure out.
>> And here's the simple Perl script that replaced illegal chars in URL  
>> path/query string:
>> http://umlaut.rubyforge.org/svn/trunk/script/umlaut/rewrite_map.pl
> These two those are no longer needed with the SVN version (which
> we currently run in production on a pretty heavy site).  I think
> it was IE6 sending them and we can't ignore IE6 :<
>         s/>/%3E/g;
>         s/</%3C/g;
> Unfortunately I don't think it made the 1.1.5 release
>   http://mongrel.rubyforge.org/browser/trunk/ext/http11/http11_parser.c?rev=996
> I don't think I ever saw Mongrel error out on these.  Is your vendor
> really that brain damaged?
>         s/\//%2F/g;
>         s/\\/%5C/g;
> But man, this just creeps me out:
>   s/ /\+/g;
> ps: "tr/ /+/;" should be a tick faster than "s/ /\+/g;" :)

More information about the Mongrel-users mailing list