Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WebSocket: should compare 'Upgrade' header value with case insensitive #4617

Conversation

makenowjust
Copy link
Contributor

RFC 6445, section 4.2.1 says clearly:

An Upgrade header field containing the value "websocket", treated as an ASCII case-insensitive value.

And now, we have String#compare(other, case_insensitive: true).

@makenowjust makenowjust force-pushed the fix/http-web-socket-handler/compare-upgrade-case-insensitive branch from 858af90 to c2109db Compare June 24, 2017 02:41
RFC 6445, section 4.2.1 says clearly: "An Upgrade header field containing
the value "websocket", treated as an ASCII case-insensitive value".

https://tools.ietf.org/html/rfc6455#section-4.2.1

And now, we have `String#compare(other, case_insensitive: true)`.
@makenowjust makenowjust force-pushed the fix/http-web-socket-handler/compare-upgrade-case-insensitive branch from c2109db to 40bb277 Compare June 24, 2017 02:44
@@ -14,7 +14,7 @@ class HTTP::WebSocketHandler
end

def call(context)
if context.request.headers["Upgrade"]? == "websocket" && context.request.headers.includes_word?("Connection", "Upgrade")
if context.request.headers["Upgrade"]?.try(&.compare("websocket", case_insensitive: true)) == 0 && context.request.headers.includes_word?("Connection", "Upgrade")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is now a very long line of code, it might be good to refactor out upgrade_header = context.request.headers["Upgrade"]? and use if upgrade_header && upgrade_header.compare("websocket", case_insensitive: true) == 0 && context.request.headers.includes_word?("Connection", "Upgrade") but that's still rather long.

How about structuring this as a series of guards:

call_next(context) unless upgrade_header && upgrade_header.compare("websocket", case_insensitive: true) == 0
call_next(context) unless context.request.headers.includes_word?("Connection", "Upgrade")

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you 😆

@sdogruyol
Copy link
Member

sdogruyol commented Jun 24, 2017

One of the Kemal users exactly reported an issue related to this. I think this is an important issue and this PR solves 👍

@miks
Copy link

miks commented Jun 27, 2017

IE11 and below are sending 'Upgrade' header with capitalized "Websocket"

@miks
Copy link

miks commented Jul 2, 2017

Any ETA for merging this?

@mverzilli mverzilli merged commit dcf8a03 into crystal-lang:master Jul 2, 2017
@mverzilli
Copy link

Any ETA for merging this?

How about now? :)

@mverzilli
Copy link

Thanks @makenowjust! Love this little, self-contained PRs with specs ❤️

@mverzilli mverzilli added this to the Next milestone Jul 2, 2017
@makenowjust makenowjust deleted the fix/http-web-socket-handler/compare-upgrade-case-insensitive branch July 2, 2017 22:42
@matiasgarciaisaia matiasgarciaisaia modified the milestones: 0.23.1, Next Jul 13, 2017
Val pushed a commit to Val/crystal that referenced this pull request Aug 12, 2017
crystal-lang#4617)

RFC 6445, section 4.2.1 says clearly: "An Upgrade header field containing
the value "websocket", treated as an ASCII case-insensitive value".

https://tools.ietf.org/html/rfc6455#section-4.2.1

And now, we have `String#compare(other, case_insensitive: true)`.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants