search

python-websockets / websockets

Library for building WebSocket servers and clients in Python
https://websockets.readthedocs.io/
BSD 3-Clause "New" or "Revised" License
5.19k stars 514 forks source link

Sec-WebSocket-Accept case sensitive check #1172

Closed sujithhanwha closed 2 years ago

sujithhanwha commented 2 years ago

According to RFC 2616 section 4.2 Message Headers: “Field names are case-insensitive.” 

HTTP/1.1 101 Switching Protocols
set-cookie: TRACKID=4b8d418a2e6ba09a6be6fb255af11212; Secure; HttpOnly
sec-websocket-accept: qELEzTXDs0AxcFlAJmMjCSwpgIc=
x-frame-options: DENY
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
sec-websocket-protocol: rtsp.onvif.org
date: Tue, 03 May 2022 00:04:15 GMT
x-http2-stream-id: 35
connection: Upgrade
upgrade: websocket

With the above response where the headers are in lower case, client is failing with below error message

invalid Sec-WebSocket-Accept header: qELEzTXDs0AxcFlAJmMjCSwpgIc=

Should this check be made case insensitive in websockets package? or the server response is incorrect ?

aaugustin commented 2 years ago

The problem doesn't seem to be the lowercase sec-websocket-accept. As you can see in the error message, websockets properly read the value qELEzTXDs0AxcFlAJmMjCSwpgIc= and then complained about it.

Could you provide the sec-websocket-key value from the request? Probably you need to recreate the problem and log both values. Enabling debug logs in websockets is an easy way to capture everything: https://websockets.readthedocs.io/en/stable/topics/logging.html#configure-logging

sujithhanwha commented 2 years ago

Thank you Augustin for quick response, as you've mentioned it was issue with the Accept key response from the proxy server which was mishandling it.