On Jan 28, 2011, at 4:40 AM, marius.v.niekerk wrote: > > I had another problem with url argument handling that came in was > > "/app/controller/function/arg1\r". > > The default regex matching ( regex_args.match(request.raw_args( )) for > the arguments would return false and then the application would > respond with an "invalid request" error. It is not obvious from the > error what the reason for failure is. > > Obviously this doesn't happen when visiting sites in a browsers, but > it can be more of an issue for a json-rpc style application. > > Should the url be "sanitized" beforehand?
If you're suggesting that trailing whitespace (including \r) should be treated as a special case, then maybe so, but it doesn't seem compelling to me: "Don't do that!" That is, yes, the URL should be sanitized, but by the generator, not the receiver. Rejecting the request gives an early warning to the developer that something is wrong with the URL generation. Otherwise I think that rejecting such a URL is the right thing to do; we really shouldn't be editing a URL (aside from standards-based decoding), since we don't know what the intent was. We could make the error message more helpful by identifying what was wrong with the request. I've done a little of that already. But that's not going to be very helpful when the request is automated.
