Accept a common variation of the websocket header.

The Tornado server sends Sec-Websocket-Accept instead of Sec-WebSocket-Accept. Accept this variation, but don't accept any arbitrary header case at this point.
ahyatt · Oct 17, 2019 · 5be01c6 · 5be01c6
1 parent d91a9ae
commit 5be01c6
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 10 deletions.
diff --git a/websocket-test.el b/websocket-test.el
@@ -120,25 +120,32 @@
 
 (ert-deftest websocket-verify-headers ()
   (let ((accept "Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo=")
+        (accept-alt-case "Sec-Websocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo=")
         (invalid-accept "Sec-WebSocket-Accept: bad")
         (upgrade "Upgrade: websocket")
+        (upgrade-alt-case "Upgrade: Websocket")
         (connection "Connection: upgrade")
         (ws (websocket-inner-create
              :conn "fake-conn" :url "ws://foo/bar"
              :accept-string "s3pPLMBiTxaQ9kYGzzhZRbK+xOo="))
         (ws-with-protocol
          (websocket-inner-create
-             :conn "fake-conn" :url "ws://foo/bar"
-             :accept-string "s3pPLMBiTxaQ9kYGzzhZRbK+xOo="
-             :protocols '("myprotocol")))
+          :conn "fake-conn" :url "ws://foo/bar"
+          :accept-string "s3pPLMBiTxaQ9kYGzzhZRbK+xOo="
+          :protocols '("myprotocol")))
         (ws-with-extensions
          (websocket-inner-create
-             :conn "fake-conn" :url "ws://foo/bar"
-             :accept-string "s3pPLMBiTxaQ9kYGzzhZRbK+xOo="
-             :extensions '("ext1" "ext2"))))
+          :conn "fake-conn" :url "ws://foo/bar"
+          :accept-string "s3pPLMBiTxaQ9kYGzzhZRbK+xOo="
+          :extensions '("ext1" "ext2"))))
     (should (websocket-verify-headers
              ws
              (websocket-test-header-with-lines accept upgrade connection)))
+    ;; Force case sensitivity to make sure we aren't too case sensitive.
+    (let ((case-fold-search nil))
+      (should (websocket-verify-headers
+               ws
+               (websocket-test-header-with-lines accept-alt-case upgrade-alt-case connection))))
     (should-error
      (websocket-verify-headers
       ws

diff --git a/websocket.el b/websocket.el
@@ -797,10 +797,10 @@ connection is invalid, the connection will be closed."
 The output is assumed to have complete headers.  This function
 will either return t or call `error'.  This has the side-effect
 of populating the list of server extensions to WEBSOCKET."
-  (let ((accept-string
-         (concat "Sec-WebSocket-Accept: " (websocket-accept-string websocket))))
-    (websocket-debug websocket "Checking for accept header: %s" accept-string)
-    (unless (string-match (regexp-quote accept-string) output)
+  (let ((accept-regexp
+         (concat "Sec-Web[Ss]ocket-Accept: " (regexp-quote (websocket-accept-string websocket)))))
+    (websocket-debug websocket "Checking for accept header regexp: %s" accept-regexp)
+    (unless (string-match accept-regexp output)
       (signal 'websocket-invalid-header
               (list "Incorrect handshake from websocket: is this really a websocket connection?"))))
   (let ((case-fold-search t))