From 75f8607d753be0f769fbfe2e355eff28de572fff Mon Sep 17 00:00:00 2001 From: Philipp Heckel Date: Sun, 16 Jan 2022 17:54:15 -0500 Subject: [PATCH] Bail out early if HTTP is spoken to /ws endpoint --- server/errors.go | 1 + server/server.go | 3 +++ 2 files changed, 4 insertions(+) diff --git a/server/errors.go b/server/errors.go index ad0d0362..c7762713 100644 --- a/server/errors.go +++ b/server/errors.go @@ -38,6 +38,7 @@ var ( errHTTPBadRequestAttachmentURLInvalid = &errHTTP{40013, http.StatusBadRequest, "invalid request: attachment URL is invalid", ""} errHTTPBadRequestAttachmentsDisallowed = &errHTTP{40014, http.StatusBadRequest, "invalid request: attachments not allowed", ""} errHTTPBadRequestAttachmentsExpiryBeforeDelivery = &errHTTP{40015, http.StatusBadRequest, "invalid request: attachment expiry before delayed delivery date", ""} + errHTTPBadRequestWebSocketsUpgradeHeaderMissing = &errHTTP{40016, http.StatusBadRequest, "invalid request: client not using the websocket protocol", ""} errHTTPNotFound = &errHTTP{40401, http.StatusNotFound, "page not found", ""} errHTTPTooManyRequestsLimitRequests = &errHTTP{42901, http.StatusTooManyRequests, "limit reached: too many requests, please be nice", "https://ntfy.sh/docs/publish/#limitations"} errHTTPTooManyRequestsLimitEmails = &errHTTP{42902, http.StatusTooManyRequests, "limit reached: too many emails, please be nice", "https://ntfy.sh/docs/publish/#limitations"} diff --git a/server/server.go b/server/server.go index d31588e4..d2a36f7b 100644 --- a/server/server.go +++ b/server/server.go @@ -717,6 +717,9 @@ func (s *Server) handleSubscribeHTTP(w http.ResponseWriter, r *http.Request, v * } func (s *Server) handleSubscribeWS(w http.ResponseWriter, r *http.Request, v *visitor) error { + if r.Header.Get("Upgrade") != "websocket" { + return errHTTPBadRequestWebSocketsUpgradeHeaderMissing + } if err := v.SubscriptionAllowed(); err != nil { return errHTTPTooManyRequestsLimitSubscriptions }