Reject URIs containing user information

garyburd · garyburd · commit 1551221275a7 · 2015-05-15T09:26:38.000-07:00
WebSocket URIs do not contain user information per section 3 of RFC 6455. Fixes gorilla#65
diff --git a/client.go b/client.go
@@ -130,6 +130,11 @@ func parseURL(s string) (*url.URL, error) {
 		u.Opaque = s[i:]
 	}
 
+	if strings.Contains(u.Host, "@") {
+		// WebSocket URIs do not contain user information.
+		return nil, errMalformedURL
+	}
+
 	return &u, nil
 }
 
diff --git a/client_test.go b/client_test.go
@@ -20,6 +20,7 @@ var parseURLTests = []struct {
 	{"wss://example.com/", &url.URL{Scheme: "wss", Host: "example.com", Opaque: "/"}},
 	{"wss://example.com/a/b", &url.URL{Scheme: "wss", Host: "example.com", Opaque: "/a/b"}},
 	{"ss://example.com/a/b", nil},
+	{"ws://webmaster@example.com/", nil},
 }
 
 func TestParseURL(t *testing.T) {

Original file line number	Diff line number	Diff line change
`@@ -130,6 +130,11 @@ func parseURL(s string) (*url.URL, error) {`
`130`	`130`	`u.Opaque = s[i:]`
`131`	`131`	`}`
`132`	`132`
	`133`	`+ if strings.Contains(u.Host, "@") {`
	`134`	`+ // WebSocket URIs do not contain user information.`
	`135`	`+ return nil, errMalformedURL`
	`136`	`+ }`
	`137`	`+`
`133`	`138`	`return &u, nil`
`134`	`139`	`}`
`135`	`140`
Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,7 @@ var parseURLTests = []struct {`
`20`	`20`	`{"wss://example.com/", &url.URL{Scheme: "wss", Host: "example.com", Opaque: "/"}},`
`21`	`21`	`{"wss://example.com/a/b", &url.URL{Scheme: "wss", Host: "example.com", Opaque: "/a/b"}},`
`22`	`22`	`{"ss://example.com/a/b", nil},`
	`23`	`+ {"ws://[email protected]/", nil},`
`23`	`24`	`}`
`24`	`25`
`25`	`26`	`func TestParseURL(t *testing.T) {`