Skip to content

Commit

Permalink
Reject URIs containing user information
Browse files Browse the repository at this point in the history 
WebSocket URIs do not contain user information per section 3 of RFC
6455.

Fixes gorilla#65
  • Loading branch information
@garyburd
garyburd committed May 15, 2015
1 parent 6fd0f86 commit 1551221
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 0 deletions.
5 changes: 5 additions & 0 deletions client.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,11 @@ func parseURL(s string) (*url.URL, error) {
u.Opaque = s[i:]
}

if strings.Contains(u.Host, "@") {
// WebSocket URIs do not contain user information.
return nil, errMalformedURL
}

return &u, nil
}

Expand Down
1 change: 1 addition & 0 deletions client_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ var parseURLTests = []struct {
{"wss://example.com/", &url.URL{Scheme: "wss", Host: "example.com", Opaque: "/"}},
{"wss://example.com/a/b", &url.URL{Scheme: "wss", Host: "example.com", Opaque: "/a/b"}},
{"ss://example.com/a/b", nil},
{"ws://webmaster@example.com/", nil},
}

func TestParseURL(t *testing.T) {
Expand Down

0 comments on commit 1551221

Please sign in to comment.