[Chicken-users] http egg can't parse valid HTTP headers

[Drew Hess]

Hi,

The regex used to parse HTTP headers in http:read-request-attributes in the
http egg isn't quite right.

  (let ((rx (if (feature? 'pregexp) 
                "([\\-A-Za-z0-9]+):[ ]*([^ ].*)"
                "([-A-Za-z0-9]+):[ ]*([^ ].*)") ) )

RFC 2616 states in Section 4.2 that HTTP headers "follow the same generic
format as that given in Section 3.1 of RFC 822." That means HTTP header
field values may contain quoted strings with spaces, may be empty,
or may even be multi-line (ugh). None of those cases are parsed properly
by http:read-request-attributes. Empty field values, at least, are
not uncommon: RFC 2616 describes some standard headers that may have
empty values, and Twitter's API returns an "X-Transaction: " header,
which is how I discovered this bug.

Unfortunately, properly parsing RFC 822 headers looks pretty hairy,
mainly due to the multi-line case. I don't have a magic patch that does
the right thing. The rfc822 egg (or Gauche's rfc.822 module) provides
an rfc822-header->list procedure that nearly does the same thing as
http:read-request-attributes. Changing the definition of the nested
accum procedure from this:

(define (rfc822-header->list iport #!key strict? (reader (cut read-line <>)))
  (define (accum name bodies r)
    (cons (list name (string-concatenate-reverse bodies)) r))

to this:

(define (rfc822-header->list iport #!key strict? (reader (cut read-line <>)))
  (define (accum name bodies r)
    (cons (cons name (string-concatenate-reverse bodies)) r))

makes it a drop-in replacement for http:read-request-attributes, as far
as I can tell, except for the differences in error-handling.

thanks!
d

pgpWNwqTsL3bG.pgp
Description: PGP signature