ActionDispatch::RequestId#make_request_id removes characters from external request IDs

Previous Topic Next Topic
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

ActionDispatch::RequestId#make_request_id removes characters from external request IDs

Brad Landers
We're using Apache mod_unique_id to pass in request IDs to our Rails app with the directive: RequestHeader set X-Request-Id "%{UNIQUE_ID}e". However, ActionDispatch::RequestId#make_request_id uses a regex to remove characters that aren't within a specified character class. The relevant excerpt is pasted below:

def make_request_id(request_id)
if request_id.presence
.gsub(/[^\w\-]/, "".freeze).first(255)

Unfortunately for Apache users, mod_unique_id uses characters in the class [\w\-@]. An excerpt from the module's "Theory" section:

The UNIQUE_ID environment variable is constructed by encoding the 144-bit (32-bit IP address, 32 bit pid, 32 bit time stamp, 16 bit counter, 32 bit thread index) quadruple using the alphabet [A-Za-z0-9@-] in a manner similar to MIME base64 encoding, producing 24 characters. The MIME base64 alphabet is actually [A-Za-z0-9+/] however + and / need to be specially encoded in URLs, which makes them less desirable

My first inclination is to simply request an expansion of the character class used to include the at symbol, but I'm wondering what the reason behind restricting the request ID to [\w\-] was in the first place? Should it be more permissive in general? If not, it seems reasonable to include the at symbol, given that it is required by a very common web server implementation.

You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at
For more options, visit