Reject URIs containing user information

WebSocket URIs do not contain user information per section 3 of RFC
6455.

Fixes #65
This commit is contained in:
Gary Burd 2015-05-15 09:26:38 -07:00
parent 6fd0f867fe
commit 1551221275
2 changed files with 6 additions and 0 deletions

View File

@ -130,6 +130,11 @@ func parseURL(s string) (*url.URL, error) {
u.Opaque = s[i:] u.Opaque = s[i:]
} }
if strings.Contains(u.Host, "@") {
// WebSocket URIs do not contain user information.
return nil, errMalformedURL
}
return &u, nil return &u, nil
} }

View File

@ -20,6 +20,7 @@ var parseURLTests = []struct {
{"wss://example.com/", &url.URL{Scheme: "wss", Host: "example.com", Opaque: "/"}}, {"wss://example.com/", &url.URL{Scheme: "wss", Host: "example.com", Opaque: "/"}},
{"wss://example.com/a/b", &url.URL{Scheme: "wss", Host: "example.com", Opaque: "/a/b"}}, {"wss://example.com/a/b", &url.URL{Scheme: "wss", Host: "example.com", Opaque: "/a/b"}},
{"ss://example.com/a/b", nil}, {"ss://example.com/a/b", nil},
{"ws://webmaster@example.com/", nil},
} }
func TestParseURL(t *testing.T) { func TestParseURL(t *testing.T) {