#113 new
Karl Ravn

Incorrect parsing of url-encoded parameters

Reported by Karl Ravn | September 17th, 2009 @ 07:47 AM | in Future

When retreiving url-encoded values in the querystring that for example contains the value %u0448, the parser throws an error. There is no way to capture and resolve these failures within the rubycode, causing hard failures to for example a front-end nginx.

Proposed solution:
Let all errors through and let the backend handle the problem.

To reproduce:

require 'thin'
require 'thin_parser'

class ThinTest < Test::Unit::TestCase

context "with broken thin parser" do

should "not raise an error when parsing a faulty url" do
  request = Rack::MockRequest.new($app)

  request_headers = "GET /abc/123%x{} HTTP/1.1"
  request_headers.gsub!(/\r/, "")
  request_headers.gsub!(/\n/, "\r\n")
  request_headers << "\r\n";

  x = {'rack.input' => StringIO.new}
  assert_nothing_raised Thin::InvalidRequest do
    Thin::HttpParser.new.execute(x, request_headers, 0)
  end
end
should "raise an error when parsing a url with %u0448 in it" do
  request = Rack::MockRequest.new($app)

  request_headers = "GET /abc/123?a=%u0448 HTTP/1.1"
  request_headers.gsub!(/\r/, "")
  request_headers.gsub!(/\n/, "\r\n")
  request_headers << "\r\n";

  x = {'rack.input' => StringIO.new}
  assert_nothing_raised Thin::InvalidRequest do
    Thin::HttpParser.new.execute(x, request_headers, 0)
  end
end

end end

Comments and changes to this ticket

  • macournoyer

    macournoyer September 17th, 2009 @ 08:12 AM

    Not sure I get what you mean. That's the job of the parser to reject bad requests. The Mongrel parser is very strict, but this is what makes the server secure. If you think the parser is rejecting valid HTTP request, point me to the HTTP spec section mentioning this is valid.

    If you want to support invalid HTTP requests you'll have to write a proxy in front of your web server and rewrite the requests.

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

People watching this ticket

Pages