Jeff Dean's blog
Let's say you are building a leetspeak that deals with w00ts. You might write a class that looks like this:
class Woot
def ==(other)
true
end
end
In theory, any Woot is equal to anything else:
puts Woot.new == Woot.new # true
You might think that with this setup, you could do something like this:
x = [ Woot.new ] y = [ Woot.new ] z = x - y
You might expect z to be an empty array in the case, but oh how wrong you would be. In the example above, the == is never called at all.
The problem: Improperly escaped post data
I recently worked on an app that processed xml files. Once a week, a legacy system posted a large xml document to the app. For almost a year the app worked perfectly, and then we updated to rails 2.3.2 and the posts started failing spectacularly. Looking at the log files, I noticed that the params were incorrect:
<code>{"message"=>"hello", "xml"=>"<xml>Foo &", "Bar</xml>"=>nil, "action"=>"not_scrubbed", "controller"=>"examples"}</code>
After looking into it further, I realized that the data that was being posted contained semi-colons:
<code>xml=<xml>Foo %26amp; Bar</xml>&message=hello</code>
It turns out that rails used to only split params on ampersands, but that rack splits on both ampersands and semi-colons. We couldn't change the legacy system, so we had to remove the semi-colons before the post params got to rails.
The solution: Rack middleware
Using Rack middleware it's was easy to insert code before rails params parsing code executed. To start, build a class that conforms to the signature of a rack middleware layer, like so: