Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BUG: Websocket transport should allow case-insensitive HTTP header lookups (IDFGH-665) #3106

Closed
bverhoeven opened this issue Feb 27, 2019 · 0 comments
Closed

BUG: Websocket transport should allow case-insensitive HTTP header lookups (IDFGH-665) #3106

bverhoeven opened this issue Feb 27, 2019 · 0 comments

Comments

@bverhoeven
Copy link
Contributor

Per the HTTP RFC, header field names are case-insensitive:

Each header field consists of a name followed by a colon (":") and the field value. Field names are case-insensitive.

However, ESP-IDF's websocket implementation in the transport_tcp component uses its get_http_header function to get the value of the 'Sec-Websocket-Accept' in a case-sensitive manner by looking for the requested header using strstr.

This is causing valid responses, like below, to be rejected with a "Sec-WebSocket-Accept not found" error:

HTTP/1.1 101 Switching Protocols
connection: Upgrade
sec-websocket-protocol: mqtt
upgrade: websocket
sec-websocket-accept: ERt2/04pC/rOP8P0YlNFyHWld7A=

This error is caused by this call to get_http_header:

esp-idf/components/tcp_transport/transport_ws.c

Lines 119 to 123 in 140b6e3

char *server_key = get_http_header(ws->buffer, "Sec-WebSocket-Accept:");
if (server_key == NULL) {
ESP_LOGE(TAG, "Sec-WebSocket-Accept not found");
return -1;
}

As can be seen, the get_http_header function, as shown below, uses strstr (the first one) to find the substring in the given buffer:

esp-idf/components/tcp_transport/transport_ws.c

Lines 64 to 77 in 140b6e3

static char *get_http_header(const char *buffer, const char *key)
{
char *found = strstr(buffer, key);
if (found) {
found += strlen(key);
char *found_end = strstr(found, "\r\n");
if (found_end) {
found_end[0] = 0;//terminal string
return trimwhitespace(found);
}
}
return NULL;
}

As strstr is case-sensitive, this call will fail to find the "sec-websocket-accept" header because it's looking for "Sec-Websocket-Accept".

This seems to be trivially fixed by using a case-insensitive method, such as strcasestr (and that's something I've done locally) but that function only seems to be available when compiling with _GNU_SOURCE (or the likes) defined and that doesn't seem to happen anywhere within the IDF so I'm hesitant to try that without knowing the implications.

Pointers would be appreciated.
@projectgus projectgus changed the title BUG: Websocket transport should allow case-insensitive HTTP header lookups BUG: Websocket transport should allow case-insensitive HTTP header lookups (IDFGH-665) Mar 12, 2019
@igrr igrr closed this as completed in d943c8d Mar 15, 2019
igrr pushed a commit that referenced this issue Jul 27, 2019
@jitin17 @espressif-bot
tcp_transport: Fix case sensitive header comparison
19fd2b3 
Closes #3106
igrr pushed a commit that referenced this issue Jul 29, 2019
@jitin17 @espressif-bot
tcp_transport: Fix case sensitive header comparison
2d26163 
Closes #3106
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bverhoeven