From 8b9f9f086691d154d6822c013a7f162a9726e390 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lo=C3=AFc=20Hoguin?= <essen@ninenines.eu>
Date: Mon, 5 Mar 2018 15:45:38 +0100
Subject: The Websocket subprotocol tokens are case sensitive

As clarified in https://tools.ietf.org/html/rfc7936 the IANA
registry only accepts case insensitive values for clarity's
sake but the actual tokens are case sensitive.
---
 src/cow_http_hd.erl | 19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)

diff --git a/src/cow_http_hd.erl b/src/cow_http_hd.erl
index 08c392b..7ff2112 100644
--- a/src/cow_http_hd.erl
+++ b/src/cow_http_hd.erl
@@ -2624,12 +2624,13 @@ parse_sec_websocket_key(SecWebSocketKey) ->
 
 -spec parse_sec_websocket_protocol_req(binary()) -> [binary()].
 parse_sec_websocket_protocol_req(SecWebSocketProtocol) ->
-	nonempty(token_ci_list(SecWebSocketProtocol, [])).
+	nonempty(token_list(SecWebSocketProtocol, [])).
 
 -ifdef(TEST).
 parse_sec_websocket_protocol_req_test_() ->
 	Tests = [
-		{<<"chat, superchat">>, [<<"chat">>, <<"superchat">>]}
+		{<<"chat, superchat">>, [<<"chat">>, <<"superchat">>]},
+		{<<"Chat, SuperChat">>, [<<"Chat">>, <<"SuperChat">>]}
 	],
 	[{V, fun() -> R = parse_sec_websocket_protocol_req(V) end} || {V, R} <- Tests].
 
@@ -2649,23 +2650,21 @@ horse_parse_sec_websocket_protocol_req() ->
 %% @doc Parse the Sec-Websocket-Protocol response header.
 
 -spec parse_sec_websocket_protocol_resp(binary()) -> binary().
-parse_sec_websocket_protocol_resp(<< C, R/bits >>) when ?IS_TOKEN(C) ->
-	?LOWER(token_ci, R, <<>>).
-
-token_ci(<<>>, T) -> T;
-token_ci(<< C, R/bits >>, T) when ?IS_TOKEN(C) ->
-	?LOWER(token_ci, R, T).
+parse_sec_websocket_protocol_resp(Protocol) ->
+	true = <<>> =/= Protocol,
+	ok = validate_token(Protocol),
+	Protocol.
 
 -ifdef(TEST).
 prop_parse_sec_websocket_protocol_resp() ->
 	?FORALL(T,
 		token(),
-		?LOWER(T) =:= parse_sec_websocket_protocol_resp(T)).
+		T =:= parse_sec_websocket_protocol_resp(T)).
 
 parse_sec_websocket_protocol_resp_test_() ->
 	Tests = [
 		{<<"chat">>, <<"chat">>},
-		{<<"CHAT">>, <<"chat">>}
+		{<<"CHAT">>, <<"CHAT">>}
 	],
 	[{V, fun() -> R = parse_sec_websocket_protocol_resp(V) end} || {V, R} <- Tests].
 
-- 
cgit v1.2.3