CGI request query string parsing error in Rails

I'm using a 3rd party component that generates URLs with query strings. These URLs are of the form:

http://host+port stuff/path/filename?&param1=xyz&param2=lskjf...

It's interesting how HTTP as touted as the "everyman protocol" with claims that anyone can write a client or server, yet the RFC is so complex that supposedly professional developers can't get simple stuff like this right.

I've checked both RFC 1738 and RFC 3986, which define URL formats, and it appears to me that the first parameter in a query string may indeed have "&" in front of the name. The 3rd party developer develops against Apache and has never had this problem.

Yep, technically you can do this, but what does it mean? The standard also says this should be a sequence of & and = characters that makes up form values. So what does the stray & mean? How would you parse it? This is generally translated into a Hash so is it dropped or is something special done?

The issue you're running into isn't an HTTP level problem but more of how an application should parse the parameters of a query form. When they do this, it's for a form from a browser. Without a good reason for doing this it's hard to justify suddenly allowing it. In fact I'd put something like this in the realm of sneaky potentially dangerous stuff since--if you decided to remove them when encountered--you could get this:

/stuff/path/file?&&&&&&&&&&&&&&&&&&& &&& && &&&& &&&&&&param1=xyz

Just waiting to be abused there.

Instead, I'd tell the guy that while it's not explicitly forbidden in the HTTP RFC it is not standard practice, does not follow how any browser submits forms, and isn't allowed in many CGI processing libraries.

Also, you should probably call him out on it since what he's doing is looping over the hash of params and he's too lazy to do the join right so he just tacks a "&" in front. I'm betting there's other parts of the code that are very questionable. He's basically doing this:

string query = "" foreach key in params   query += "&" + key + "=" + params[key] end

He'll most likely fight you on it rather than change it since he's probably got code like this all over and he thought it was an ultra clever solution. He's also most likely using a C type language with poor strings that don't have a "join". If he's using ruby then definitely kick him to the curb since he should know better.

It's classic Potpourri Turd Syndrome (his turd don't stink, no everyone else's is crap).