Skip to content

Commit

Permalink
Reject request with incorrect transport (Fixes #367)
Browse files Browse the repository at this point in the history
  • Loading branch information
@miguelgrinberg
miguelgrinberg committed Oct 15, 2024
1 parent 91d83c2 commit 7ad1448
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 6 deletions.
7 changes: 4 additions & 3 deletions src/engineio/async_server.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -269,11 +269,11 @@ async def handle_request(self, *args, **kwargs):
'bad-jsonp-index')
r = self._bad_request('Invalid JSONP index number')
elif method == 'GET':
upgrade_header = environ.get('HTTP_UPGRADE').lower() \
if 'HTTP_UPGRADE' in environ else None
if sid is None:
# transport must be one of 'polling' or 'websocket'.
# if 'websocket', the HTTP_UPGRADE header must match.
upgrade_header = environ.get('HTTP_UPGRADE').lower() \
if 'HTTP_UPGRADE' in environ else None
if transport == 'polling' \
or transport == upgrade_header == 'websocket':
r = await self._handle_connect(environ, transport,
Expand All @@ -288,7 +288,8 @@ async def handle_request(self, *args, **kwargs):
r = self._bad_request('Invalid session ' + sid)
else:
socket = self._get_socket(sid)
if self.transport(sid) != transport:
if self.transport(sid) != transport and \
transport != upgrade_header:
self._log_error_once(
'Invalid transport for session ' + sid,
'bad-transport')
Expand Down
7 changes: 4 additions & 3 deletions src/engineio/server.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -251,11 +251,11 @@ def handle_request(self, environ, start_response):
'bad-jsonp-index')
r = self._bad_request('Invalid JSONP index number')
elif method == 'GET':
upgrade_header = environ.get('HTTP_UPGRADE').lower() \
if 'HTTP_UPGRADE' in environ else None
if sid is None:
# transport must be one of 'polling' or 'websocket'.
# if 'websocket', the HTTP_UPGRADE header must match.
upgrade_header = environ.get('HTTP_UPGRADE').lower() \
if 'HTTP_UPGRADE' in environ else None
if transport == 'polling' \
or transport == upgrade_header == 'websocket':
r = self._handle_connect(environ, start_response,
Expand All @@ -270,7 +270,8 @@ def handle_request(self, environ, start_response):
r = self._bad_request('Invalid session')
else:
socket = self._get_socket(sid)
if self.transport(sid) != transport:
if self.transport(sid) != transport and \
transport != upgrade_header:
self._log_error_once(
'Invalid transport for session ' + sid,
'bad-transport')
Expand Down

0 comments on commit 7ad1448

Please sign in to comment.