Skip to content


Rack fails to find multipart boundary. #518

bwilk opened this Issue · 5 comments

3 participants


The method fast_forward_to_first_boundary of the multipart parser: rack / lib / rack / multipart / parser.rb fails to find boundary if it is is terminated by "\n" (not the EOL = "\r\n"). As a result the parts of request cannot be identified at all. Is it intended behaviour?

The following line is affected:
return if read_buffer == full_boundary

Official Rack repositories member

AFAICT the HTTP RFC enforces use of CRLF.


Well, I totally agree. Just for your consideration - although being strict is great when you are the active side (client) of the protocol, a rigor on the passive side (server) may cause some clients (not so well implemented) not fuctioning - eg. I failed using The reason of failure is not so easy to detect while debugging the request processing flow.

Official Rack repositories member

The problem is that lax handling of line terminators opens the door to a lot of injection attacks.

Perhaps you can run your Rack app behind a web server that sanitizes such things?

Official Rack repositories member

Heroku folks can't. I spoke with Terrence about this again today, but I'm not sure if it'll happen soon. We ideally should handle most inputs in a sane way.

I'll consider it.


I'm glad to hear that. Thanks for updating the thread.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.