[Mongrel] Bare carriage returns in HTTP headers

Jonathan Rochkind rochkind at jhu.edu
Thu Mar 26 16:41:23 EDT 2009

Oh, and PS, I know that IE6 sends those. Because I discovered it. Safari 
does too, for that matter. If they are (illegaly) in a URL in HTML or 
entered in the location bar, etc. 

My particular case in fact involved URLs in HTML (produced by a third 
party, but targetting my app) delivered to an ordinary user agent like 
IE6 or Firefox or Safari.  Firefox would happily correct them before 
sending them to the server.  IE6 and Safari, no.

This is what I reported like a year and a half ago, and was told it 
wasn't mongrel's problem. And brought up again like four months ago, to 
see if with different developers you'd have a different opinion, and was 
again told it wasn't mongrel's problem.

I guess someone with more pull than me found it inconvenient?


Eric Wong wrote:
> Jonathan Rochkind <rochkind at jhu.edu> wrote:
>> My problem was with invalid query strings being sent to me by a vendor,  
>> not with problems in the header. So it won't be _exactly_ the same. I'm  
>> not sure if an apache rewrite map can change headers or not; it can  
>> change path/query string, which is all I needed. But I can show you what  
>> I did, in case it gives you ideas. It was a bit of a pain to figure out.
>> And here's the simple Perl script that replaced illegal chars in URL  
>> path/query string:
>> http://umlaut.rubyforge.org/svn/trunk/script/umlaut/rewrite_map.pl
> These two those are no longer needed with the SVN version (which
> we currently run in production on a pretty heavy site).  I think
> it was IE6 sending them and we can't ignore IE6 :<
>         s/>/%3E/g;
>         s/</%3C/g;
> Unfortunately I don't think it made the 1.1.5 release
>   http://mongrel.rubyforge.org/browser/trunk/ext/http11/http11_parser.c?rev=996
> I don't think I ever saw Mongrel error out on these.  Is your vendor
> really that brain damaged?
>         s/\//%2F/g;
>         s/\\/%5C/g;
> But man, this just creeps me out:
>   s/ /\+/g;
> ps: "tr/ /+/;" should be a tick faster than "s/ /\+/g;" :)

More information about the Mongrel-users mailing list