From 7ad14481695df5adb070d52a377de49f43ddf399 Mon Sep 17 00:00:00 2001
From: Miguel Grinberg <miguel.grinberg@gmail.com>
Date: Tue, 15 Oct 2024 09:41:40 +0100
Subject: [PATCH] Reject request with incorrect transport (Fixes #367)

---
 src/engineio/async_server.py | 7 ++++---
 src/engineio/server.py       | 7 ++++---
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/src/engineio/async_server.py b/src/engineio/async_server.py
index ea346fb9..66120502 100644
--- a/src/engineio/async_server.py
+++ b/src/engineio/async_server.py
@@ -269,11 +269,11 @@ async def handle_request(self, *args, **kwargs):
                                  'bad-jsonp-index')
             r = self._bad_request('Invalid JSONP index number')
         elif method == 'GET':
+            upgrade_header = environ.get('HTTP_UPGRADE').lower() \
+                if 'HTTP_UPGRADE' in environ else None
             if sid is None:
                 # transport must be one of 'polling' or 'websocket'.
                 # if 'websocket', the HTTP_UPGRADE header must match.
-                upgrade_header = environ.get('HTTP_UPGRADE').lower() \
-                    if 'HTTP_UPGRADE' in environ else None
                 if transport == 'polling' \
                         or transport == upgrade_header == 'websocket':
                     r = await self._handle_connect(environ, transport,
@@ -288,7 +288,8 @@ async def handle_request(self, *args, **kwargs):
                     r = self._bad_request('Invalid session ' + sid)
                 else:
                     socket = self._get_socket(sid)
-                    if self.transport(sid) != transport:
+                    if self.transport(sid) != transport and \
+                            transport != upgrade_header:
                         self._log_error_once(
                             'Invalid transport for session ' + sid,
                             'bad-transport')
diff --git a/src/engineio/server.py b/src/engineio/server.py
index 7b71c0e5..578780bc 100644
--- a/src/engineio/server.py
+++ b/src/engineio/server.py
@@ -251,11 +251,11 @@ def handle_request(self, environ, start_response):
                                  'bad-jsonp-index')
             r = self._bad_request('Invalid JSONP index number')
         elif method == 'GET':
+            upgrade_header = environ.get('HTTP_UPGRADE').lower() \
+                if 'HTTP_UPGRADE' in environ else None
             if sid is None:
                 # transport must be one of 'polling' or 'websocket'.
                 # if 'websocket', the HTTP_UPGRADE header must match.
-                upgrade_header = environ.get('HTTP_UPGRADE').lower() \
-                    if 'HTTP_UPGRADE' in environ else None
                 if transport == 'polling' \
                         or transport == upgrade_header == 'websocket':
                     r = self._handle_connect(environ, start_response,
@@ -270,7 +270,8 @@ def handle_request(self, environ, start_response):
                     r = self._bad_request('Invalid session')
                 else:
                     socket = self._get_socket(sid)
-                    if self.transport(sid) != transport:
+                    if self.transport(sid) != transport and \
+                            transport != upgrade_header:
                         self._log_error_once(
                             'Invalid transport for session ' + sid,
                             'bad-transport')