Skip to content

actix-web returns 400 bad request for http requests emitted by many user agents #3102

New issue
New issue
Open
Open
actix-web returns 400 bad request for http requests emitted by many user agents#3102
Labels
A-httpproject: actix-httpneeds-investigation
@lovasoa

Description

@lovasoa
lovasoa
opened on Aug 13, 2023

Hello, and first, thank you for this great library !

Recently, I published a blog post titled I’m sorry I forked you. In the title, the second character is a curly apostrophe ( U+2019 Right Single Quotation Mark).

I shared it online and started getting hits from a lot of different browsers. I significant portion of hits (I don't know which browsers exactly), did not encode the apostrophe (as %E2%80%99), but included the directly in the HTTP query.

There are two layers between the web and my actix service:

  • cloudflare, which parsed and understood the HTTP query perfectly well, and forwarded it with the curved apostrophe
  • nginx, which also parsed and forwarded the query without issue.

But when it got to actix-web, it failed to parse the query, and returned a 400 back without even invoking my code.
The very confusing error message I got was: [ERROR actix_http::h1::dispatcher] stream error: Request parse error: Invalid Header provided (confusing because the problem did not state what the problem was exactly, and said it came from headers instead of the query string).

See: https://en.wikipedia.org/wiki/Internationalized_Resource_Identifier

Expected Behavior

Since clients in the real world emit http requests with unicode characters, I think actix-web should accept them, and just invoke the user code with the unicode query string.

And when it encounters a real issue with the query string, it should say it comes from the query string, not from the headers, and give more details than just Request parse error.

Current Behavior

logs [ERROR actix_http::h1::dispatcher] stream error: Request parse error: Invalid Header provided

and returns an HTTP 400 bad request response to the client.

Steps to Reproduce (for bugs)

#[actix_web::main]
async fn main() -> std::io::Result<()> {
    actix_web::HttpServer::new(|| actix_web::App::new())
    .bind(("127.0.0.1", 8080))?
    .run()
    .await
}
❯ curl -v 'localhost:8080/’'
*   Trying 127.0.0.1:8080...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET /’ HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.81.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 400 Bad Request
< content-length: 0
< connection: close
< date: Sun, 13 Aug 2023 20:01:26 GMT
< 
* Closing connection 0

Metadata

Metadata

Assignees

No one assigned

    Labels

    A-httpproject: actix-httpneeds-investigation

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions