fix websocket header validation, ensure it meets token requirements, add

testing
2025-08-06 06:00:15 +01:00 · 2016-01-03 11:51:25 -05:00 · 2016-01-03 11:51:25 -05:00 · 3846cf52f2
commit 3846cf52f2
parent 5b2d2c0ed8
7 changed files with 109 additions and 38 deletions
--- a/components/script/dom/bindings/str.rs
+++ b/components/script/dom/bindings/str.rs
@ -11,6 +11,7 @@ use std::ops;
 use std::str;
 use std::str::FromStr;
 use util::mem::HeapSizeOf;
+use util::str::is_token;

 /// Encapsulates the IDL `ByteString` type.
 #[derive(JSTraceable, Clone, Eq, PartialEq, HeapSizeOf)]
@ -49,35 +50,7 @@ impl ByteString {
    /// [RFC 2616](http://tools.ietf.org/html/rfc2616#page-17).
    pub fn is_token(&self) -> bool {
        let ByteString(ref vec) = *self;
-        if vec.is_empty() {
-            return false; // A token must be at least a single character
-        }
-        vec.iter().all(|&x| {
-            // http://tools.ietf.org/html/rfc2616#section-2.2
-            match x {
-                0...31 | 127 => false, // CTLs
-                40 |
-                41 |
-                60 |
-                62 |
-                64 |
-                44 |
-                59 |
-                58 |
-                92 |
-                34 |
-                47 |
-                91 |
-                93 |
-                63 |
-                61 |
-                123 |
-                125 |
-                32 => false, // separators
-                x if x > 127 => false, // non-CHARs
-                _ => true,
-            }
-        })
+        is_token(vec)
    }

    /// Returns whether `self` is a `field-value`, as defined by
--- a/components/script/dom/websocket.rs
+++ b/components/script/dom/websocket.rs
@ -34,11 +34,12 @@ use net_traits::unwrap_websocket_protocol;
 use net_traits::{WebSocketCommunicate, WebSocketConnectData, WebSocketDomAction, WebSocketNetworkEvent};
 use script_thread::ScriptThreadEventCategory::WebSocketEvent;
 use script_thread::{CommonScriptMsg, Runnable, ScriptChan};
+use std::ascii::AsciiExt;
 use std::borrow::ToOwned;
 use std::cell::Cell;
 use std::ptr;
 use std::thread;
-use util::str::DOMString;
+use util::str::{DOMString, is_token};
 use websocket::client::request::Url;
 use websocket::header::{Headers, WebSocketProtocol};
 use websocket::ws::util::url::parse_url;
@ -218,17 +219,13 @@ impl WebSocket {
        for (i, protocol) in protocols.iter().enumerate() {
            // https://tools.ietf.org/html/rfc6455#section-4.1
            // Handshake requirements, step 10
-            if protocol.is_empty() {
+
+            if protocols[i + 1..].iter().any(|p| p.eq_ignore_ascii_case(protocol)) {
                return Err(Error::Syntax);
            }

-            if protocols[i + 1..].iter().any(|p| p == protocol) {
-                return Err(Error::Syntax);
-            }
-
-            // TODO: also check that no separator characters are used
            // https://tools.ietf.org/html/rfc6455#section-4.1
-            if protocol.chars().any(|c| c < '\u{0021}' || c > '\u{007E}') {
+            if !is_token(protocol.as_bytes()) {
                return Err(Error::Syntax);
            }
        }