From 1551221275a7bd42978745a376b2531f791d88f3 Mon Sep 17 00:00:00 2001
From: Gary Burd <gary@beagledreams.com>
Date: Fri, 15 May 2015 09:26:38 -0700
Subject: [PATCH] Reject URIs containing user information

WebSocket URIs do not contain user information per section 3 of RFC
6455.

Fixes #65
---
 client.go      | 5 +++++
 client_test.go | 1 +
 2 files changed, 6 insertions(+)

diff --git a/client.go b/client.go
index 5bc27e1..93db8dd 100644
--- a/client.go
+++ b/client.go
@@ -130,6 +130,11 @@ func parseURL(s string) (*url.URL, error) {
 		u.Opaque = s[i:]
 	}
 
+	if strings.Contains(u.Host, "@") {
+		// WebSocket URIs do not contain user information.
+		return nil, errMalformedURL
+	}
+
 	return &u, nil
 }
 
diff --git a/client_test.go b/client_test.go
index d2f2ebd..07a9cb4 100644
--- a/client_test.go
+++ b/client_test.go
@@ -20,6 +20,7 @@ var parseURLTests = []struct {
 	{"wss://example.com/", &url.URL{Scheme: "wss", Host: "example.com", Opaque: "/"}},
 	{"wss://example.com/a/b", &url.URL{Scheme: "wss", Host: "example.com", Opaque: "/a/b"}},
 	{"ss://example.com/a/b", nil},
+	{"ws://webmaster@example.com/", nil},
 }
 
 func TestParseURL(t *testing.T) {