On Tue, Oct 10, 2017 at 12:42:55PM -0500, Eric Blake wrote: > On 10/10/2017 10:43 AM, Daniel P. Berrange wrote: > > The noVNC server sends a header "Connection: keep-alive, Upgrade" which > > fails our simple equality test. Split the header on ',', trim whitespace > > and then check for 'upgrade' token. > > > > Signed-off-by: Daniel P. Berrange <[email protected]> > > --- > > io/channel-websock.c | 14 +++++++++++++- > > 1 file changed, 13 insertions(+), 1 deletion(-) > > > > > @@ -440,7 +443,16 @@ static void > > qio_channel_websock_handshake_process(QIOChannelWebsock *ioc, > > goto bad_request; > > } > > > > - if (strcasecmp(connection, QIO_CHANNEL_WEBSOCK_CONNECTION_UPGRADE) != > > 0) { > > My first thought was whether you could just use strcasestr() instead of > strcasecmp(), rather than the malloc overhead of g_strsplit(). But that > would treat "noUpgradeGarbage" as success, making your approach a bit > stricter.
Also note that when reading HTTP headers we've already limited max data size to 4k for the entire HTTP header set. So we're doing g_strsplit over a pretty short piece of data, so negligible perf implications of that. > > Reviewed-by: Eric Blake <[email protected]> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
