Would anybody be negatively affected by this change? I've been seeing \x00 bytes in HTTP headers from clients and would rather stop those clients earlier rather than later.
>From 4a8ddcd017a75b9bc99190dc565880615709d810 Mon Sep 17 00:00:00 2001 From: Eric Wong <[email protected]> Date: Tue, 12 Jul 2011 23:52:33 +0000 Subject: [PATCH] http: reject non-LWS CTL chars (0..31 + 127) in field values RFC 2616 doesn't appear to allow most CTL bytes even though Mongrel always did. Rack::Lint disallows 0..31, too, though we allow "\t" (HT, 09) since it's LWS and allowed by RFC 2616. --- ext/unicorn_http/unicorn_http_common.rl | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ext/unicorn_http/unicorn_http_common.rl b/ext/unicorn_http/unicorn_http_common.rl index cf93fec..cc1d455 100644 --- a/ext/unicorn_http/unicorn_http_common.rl +++ b/ext/unicorn_http/unicorn_http_common.rl @@ -20,6 +20,7 @@ pchar = (uchar | ":" | "@" | "&" | "=" | "+"); tspecials = ("(" | ")" | "<" | ">" | "@" | "," | ";" | ":" | "\\" | "\"" | "/" | "[" | "]" | "?" | "=" | "{" | "}" | " " | "\t"); lws = (" " | "\t"); + content = ((any -- CTL) | lws); # elements token = (ascii -- (CTL | tspecials)); @@ -50,9 +51,9 @@ field_name = ( token -- ":" )+ >start_field $snake_upcase_field %write_field; - field_value = any* >start_value %write_value; + field_value = content* >start_value %write_value; - value_cont = lws+ any* >start_value %write_cont_value; + value_cont = lws+ content* >start_value %write_cont_value; message_header = ((field_name ":" lws* field_value)|value_cont) :> CRLF; chunk_ext_val = token*; -- Eric Wong _______________________________________________ Unicorn mailing list - [email protected] http://rubyforge.org/mailman/listinfo/mongrel-unicorn Do not quote signatures (like this one) or top post when replying
