Skip to content

Fix how the client checks for presence of Upgrade: websocket, Connection: upgrade#604

Merged
elithrar merged 1 commit intogorilla:masterfrom
bluetech:fix-header-parsing
Aug 20, 2020
Merged

Fix how the client checks for presence of Upgrade: websocket, Connection: upgrade#604
elithrar merged 1 commit intogorilla:masterfrom
bluetech:fix-header-parsing

Conversation

@bluetech
Copy link
Copy Markdown
Contributor

@bluetech bluetech commented Jun 28, 2020

The values of the Upgrade and Connection response headers can
contain multiple tokens, for example

Connection: upgrade, keep-alive

The WebSocket RFC describes the checking of these as follows:

2. If the response lacks an |Upgrade| header field or the |Upgrade|
   header field contains a value that is not an ASCII case-
   insensitive match for the value "websocket", the client MUST
   _Fail the WebSocket Connection_.

3. If the response lacks a |Connection| header field or the
   |Connection| header field doesn't contain a token that is an
   ASCII case-insensitive match for the value "Upgrade", the client
   MUST _Fail the WebSocket Connection_.

It is careful to note "contains a value", "contains a token".

Previously, the client would reject with "bad handshake" if the header
doesn't contain exactly the value it looks for.

Change the checks to use tokenListContainsValue instead, which is
incidentally what the server is already doing for similar checks.

@bluetech
Fix how the client checks for presence of Upgrade: websocket, Connect…
92a102f 
…ion: upgrade

The values of the `Upgrade` and `Connection` response headers can
contain multiple tokens, for example

    Connection: upgrade, keep-alive

The WebSocket RFC describes the checking of these as follows:

   2.  If the response lacks an |Upgrade| header field or the |Upgrade|
       header field contains a value that is not an ASCII case-
       insensitive match for the value "websocket", the client MUST
       _Fail the WebSocket Connection_.

   3.  If the response lacks a |Connection| header field or the
       |Connection| header field doesn't contain a token that is an
       ASCII case-insensitive match for the value "Upgrade", the client
       MUST _Fail the WebSocket Connection_.

It is careful to note "contains a value", "contains a token".

Previously, the client would reject with "bad handshake" if the header
doesn't contain exactly the value it looks for.

Change the checks to use `tokenListContainsValue` instead, which is
incidentally what the server is already doing for similar checks.
@bluetech
Copy link
Copy Markdown
Contributor Author

bluetech commented Jun 28, 2020

We ran into this issue where some MITM proxy adds Connection: keep-alive to our responses.

The test I added fails before and passes after.

@elithrar elithrar self-requested a review August 20, 2020 13:41
@elithrar elithrar self-assigned this Aug 20, 2020
@elithrar elithrar added the bug label Aug 20, 2020
elithrar
elithrar approved these changes Aug 20, 2020
View reviewed changes
Copy link
Copy Markdown
Contributor

@elithrar elithrar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this fix, and for including the relevant part of the RFCs.

@elithrar elithrar merged commit 873e67e into gorilla:master Aug 20, 2020
@elithrar elithrar mentioned this pull request Jul 11, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@elithrar elithrar elithrar approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@elithrar elithrar

Labels

bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bluetech @elithrar