Skip to content

HttpServer: match the Upgrade header value case-insensitively #584

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
bsergean merged 1 commit into from
Jun 24, 2026
+9 −2
Merged

HttpServer: match the Upgrade header value case-insensitively #584

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion ixwebsocket/IXHttpServer.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
#include "IXGzipCodec.h"
#include "IXNetSystem.h"
#include "IXSocketConnect.h"
#include "IXStrCaseCompare.h"
#include "IXUserAgent.h"
#include <cstdint>
#include <cstring>
Expand Down Expand Up @@ -98,7 +99,11 @@ namespace ix
{
auto request = std::get<2>(ret);
std::shared_ptr<ix::HttpResponse> response;

@bsergean bsergean Jun 15, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The headers variable should be a 'case insensitive' map library already, so something is wrong there.

@bsergean bsergean Jun 15, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah I got confused, the problem is about the value.

This vibe coded code is impossible to read, we need a function that does if (stringEqual(a, b, true)) with the last arg being case sentisitive or something). Can you look at golang to see if they have such a function ?

@AudriusButkevicius AudriusButkevicius Jun 15, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apologies, lacking context, what does go have to do with this? I can add a new function that is case insensitive comparison, but I don't know of a good place for it, so just used compare twice.

@bsergean bsergean Jun 24, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add that function to this file, and a unittest ?

/*
 *  IXStrCaseCompare.h
 *  Author: Benjamin Sergeant
 *  Copyright (c) 2020 Machine Zone. All rights reserved.
 */

#pragma once

#include <string>

namespace ix
{
    struct CaseInsensitiveLess
    {
        // Case Insensitive compare_less binary function
        struct NocaseCompare
        {
            bool operator()(const unsigned char& c1, const unsigned char& c2) const;
        };

        static bool cmp(const std::string& s1, const std::string& s2);

        bool operator()(const std::string& s1, const std::string& s2) const;
    };
} // namespace ix

// Let's go with this function, and put the implementation in the .cpp file, thanks


#include <string>
#include <cctype>

bool equalIgnoreCaseASCII(const std::string& a, const std::string& b) {
    if (a.size() != b.size()) return false;
    for (size_t i = 0; i < a.size(); ++i) {
        unsigned char ca = static_cast<unsigned char>(a[i]);
        unsigned char cb = static_cast<unsigned char>(b[i]);
        if (std::tolower(ca) != std::tolower(cb)) return false;
    }
    return true;
}

if (request->headers["Upgrade"] == "websocket")
// The Upgrade header value is case-insensitive (RFC 6455 4.2.1);
// e.g. Chrome's remote-debugging proxy sends "Upgrade: WebSocket".
const std::string& upgradeHeader = request->headers["Upgrade"];
if (!CaseInsensitiveLess::cmp(upgradeHeader, "websocket") &&
!CaseInsensitiveLess::cmp("websocket", upgradeHeader))
{
WebSocketServer::handleUpgrade(std::move(socket), connectionState, request);
}
Expand Down
4 changes: 3 additions & 1 deletion ixwebsocket/IXWebSocketHandshake.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,9 @@ namespace ix

bool WebSocketHandshake::insensitiveStringCompare(const std::string& a, const std::string& b)
{
return CaseInsensitiveLess::cmp(a, b) == 0;
// Equivalence under the case-insensitive strict weak ordering: neither
// string sorts below the other. (cmp(a, b) == 0 only checked a >= b.)
return !CaseInsensitiveLess::cmp(a, b) && !CaseInsensitiveLess::cmp(b, a);
}

std::string WebSocketHandshake::genRandomString(const int len)
Expand Down
Loading