"HTTP Parameter Pollution" and Rails

Today there was a posting by Stefano di Paola to the Web Security Mailing List,


about "HTTP Parameter Pollution", with a reference to his and Luca Carettoni presentation at


The point is that different web servers/backends behave differently when handling requests such as

    GET /foo?par1=val1&par1=val2 HTTP/1.1     User-Agent: Mozilla/5.0     Host: Host     Accept: */*

    POST /foo HTTP/1.1     User-Agent: Mozilla/5.0     Host: Host     Accept: */*     Content-Length: 19     par1=val1&par1=val2c

The point is that the same key (here par1) occurs with two or more values. They document both server and client side attacks based on this.

On page 9 the presentation lists many http servers/backends, but not Rails (instead, the Linksys Wireless-G PTZ Internet Camera is included:-). I believe Rails falls under "Last occurrence", and I think that works out well.

In particular, I see Rails handling requests such as


just fine -- the controller/action one expects is invoked (here, login/index).

However I couldn't find the behaviour with respect to such multiple key-value assignments, or attempts at overriding the "Rails special" controller/action keys, covered in the actionpack unit tests.

Can you make out any security problems?