[erlang-bugs] erlang:decode_packet - wrong parsing of Sec-WebSock-Accept header

Steve Vinoski <>
Tue Jan 29 14:57:56 CET 2013


On Tue, Jan 29, 2013 at 5:31 AM, <> wrote:

> Hi,
>
> In R15B (erts-5.9) erlang:decode_packet/3 seems to be making an error
> parsing the Sec-WebSock-Accept header
>
> 43> erlang:decode_packet(httph, <<"Sec-WebSocket-Accept:
> whatever\r\n\r\n">>, []).
> {ok,{http_header,0,"Sec-Websocket-Accept",undefined,
>                  "whatever"},
>     <<"\r\n">>}
> 44>
>
> One, it doesn't parse it as an atom, but as a string (but that much can be
> guessed from the documentation).
>


Not all headers are parsed as atom, since doing that would allow a
malicious client to send a wide variety of different headers that would
eventually overflow the server's atom table and crash the server. Only
common headers are parsed as atoms. Your code needs to be able to handle
both atom and string results from decode_packet.



> Two, the character S in WebSocket is parsed as lowercase instead of the
> uppercase it is in the parsed string.



All HTTP headers are case-insensitive, so regardless of whether the headers
contain SEC-WEBSOCKET-ACCEPT, sEC-wEbSoCkEt-AcCePt, or sec-websocket-accept
as the header name, the parser produces Sec-Websocket-Accept:

1> erlang:decode_packet(httph, <<"SEC-WEBSOCKET-ACCEPT:
whatever\r\n\r\n">>, []).
{ok,{http_header,0,"Sec-Websocket-Accept",undefined,
                 "whatever"},
    <<"\r\n">>}
2> erlang:decode_packet(httph, <<"sEC-wEbSoCkEt-AcCePt:
whatever\r\n\r\n">>, []).
{ok,{http_header,0,"Sec-Websocket-Accept",undefined,
                 "whatever"},
    <<"\r\n">>}
3> erlang:decode_packet(httph, <<"sec-websocket-accept:
whatever\r\n\r\n">>, []).
{ok,{http_header,0,"Sec-Websocket-Accept",undefined,
                 "whatever"},
    <<"\r\n">>}

So, neither of these issues is a bug IMO.

--steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-bugs/attachments/20130129/c4e3b7a9/attachment.html>


More information about the erlang-bugs mailing list