#113 Incorrect parsing of url-encoded parameters - Thin

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

#113 new

Incorrect parsing of url-encoded parameters

Reported by Karl Ravn | September 17th, 2009 @ 07:47 AM | in Future

When retreiving url-encoded values in the querystring that for example contains the value %u0448, the parser throws an error. There is no way to capture and resolve these failures within the rubycode, causing hard failures to for example a front-end nginx.

Proposed solution:
Let all errors through and let the backend handle the problem.

To reproduce:

require 'thin'
require 'thin_parser'

class ThinTest < Test::Unit::TestCase

context "with broken thin parser" do should "not raise an error when parsing a faulty url" do request = Rack::MockRequest.new($app)

  request_headers = "GET /abc/123%x{} HTTP/1.1"
  request_headers.gsub!(/\r/, "")
  request_headers.gsub!(/\n/, "\r\n")
  request_headers << "\r\n";

  x = {'rack.input' => StringIO.new}
  assert_nothing_raised Thin::InvalidRequest do
    Thin::HttpParser.new.execute(x, request_headers, 0)
  end
end
should "raise an error when parsing a url with %u0448 in it" do
  request = Rack::MockRequest.new($app)

  request_headers = "GET /abc/123?a=%u0448 HTTP/1.1"
  request_headers.gsub!(/\r/, "")
  request_headers.gsub!(/\n/, "\r\n")
  request_headers << "\r\n";

  x = {'rack.input' => StringIO.new}
  assert_nothing_raised Thin::InvalidRequest do
    Thin::HttpParser.new.execute(x, request_headers, 0)
  end
end

end end

Comments and changes to this ticket

macournoyer September 17th, 2009 @ 08:12 AM
Not sure I get what you mean. That's the job of the parser to reject bad requests. The Mongrel parser is very strict, but this is what makes the server secure. If you think the parser is rejecting valid HTTP request, point me to the HTTP spec section mentioning this is valid.

If you want to support invalid HTTP requests you'll have to write a proxy in front of your web server and rewrite the requests.

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

People watching this ticket

macournoyer

Thin Thin → Future

Incorrect parsing of url-encoded parameters

Comments and changes to this ticket

macournoyer September 17th, 2009 @ 08:12 AM

Create your profile

People watching this ticket

Pages

Thin Thin → Future

Keyword searching

Incorrect parsing of url-encoded parameters

Comments and changes to this ticket

macournoyer September 17th, 2009 @ 08:12 AM

Create your profile

People watching this ticket

Pages