[erlang-bugs] erlang:decode_packet - wrong parsing of Sec-WebSock-Accept header

Sverker Eriksson <>
Tue Jan 29 17:32:19 CET 2013

Loïc Hoguin wrote:
> On 01/29/2013 03:06 PM, Sverker Eriksson wrote:
>>> Two, the character S in WebSocket is parsed as lowercase instead of the
>>> uppercase it is in the parsed string.
>> Header names are case insensitive according to HTTP. To ease matching we
>> always return unrecognized strings on a format with capital letters only
>> first and after hyphen, like "Sec-Websocket-Accept".
> Not exactly true.
> 3> erlang:decode_packet(httph_bin, <<"sec-websocket-version: 
> abc\r\n\r\n">>, []).
> {ok,{http_header,0,<<"sec-websocket-version">>,undefined,
>                  <<"abc">>},
>     <<"\r\n">>}
> 4> erlang:decode_packet(httph_bin, <<"sec-websocket-versio: 
> abc\r\n\r\n">>, []).
> {ok,{http_header,0,<<"Sec-Websocket-Versio">>,undefined,
>                  <<"abc">>},
>     <<"\r\n">>}
> Past a certain number of characters, erlang:decode_packet do not 
> attempt that. Problem is this header is used in the wild and 
> standardized. You should consider increasing that limit slightly.
Deja vu. I thought we fixed this, apparently not.
The limiting factor is an internal buffer with a static size of 20 
characters. I guess increasing the buffer to... say 50 characters would 
do as a pragmatic solution.


More information about the erlang-bugs mailing list