[libsoup] hsts: accept the Strict-Transport-Security header regardless of casing

[Claudio Saavedra <csaavedra src gnome org>]

commit 16bb5805674c53ac2930967c5f76e93e6df8ea31
Author: Claudio Saavedra <csaavedra igalia com>
Date:   Mon Jun 10 14:58:27 2019 +0300

    hsts: accept the Strict-Transport-Security header regardless of casing
    
    For some reason a strcmp() was used where a case-insensitive search should
    be used. This was further hidden by the fact that SoupMessageHeaders interns
    the name of headers, so the first time a header is seen by the library will
    be the casing that is used, rendering the case-insensitivity test useless.
    
    Fix the string comparison and move the test for sensitivity to the top so that
    it runs first and the interned STS header name is the allcaps one that will
    allow the test to work.

 libsoup/soup-hsts-policy.c | 2 +-
 tests/hsts-test.c          | 5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)
---
diff --git a/libsoup/soup-hsts-policy.c b/libsoup/soup-hsts-policy.c
index 5036b912..3158143a 100644
--- a/libsoup/soup-hsts-policy.c
+++ b/libsoup/soup-hsts-policy.c
@@ -278,7 +278,7 @@ soup_hsts_policy_new_from_response (SoupMessage *msg)
                gpointer include_subdomains_value = NULL;
                SoupHSTSPolicy *policy = NULL;
 
-               if (strcmp (name, "Strict-Transport-Security") != 0)
+               if (g_ascii_strcasecmp (name, "Strict-Transport-Security") != 0)
                        continue;
 
                uri = soup_message_get_uri (msg);
diff --git a/tests/hsts-test.c b/tests/hsts-test.c
index 0f916e4b..6e383c08 100644
--- a/tests/hsts-test.c
+++ b/tests/hsts-test.c
@@ -480,6 +480,10 @@ main (int argc, char **argv)
                https_uri = soup_test_server_get_uri (https_server, "https", NULL);
        }
 
+       /* The case sensitivity test is run first because soup_message_headers_append()
+          interns the header name and further uses of the name use the interned version.
+          if we ran this test later, then the casing that this tests uses wouldn't be used. */
+       g_test_add_func ("/hsts/case-insensitive-header", do_hsts_case_insensitive_header_test);
        g_test_add_func ("/hsts/basic", do_hsts_basic_test);
        g_test_add_func ("/hsts/expire", do_hsts_expire_test);
        g_test_add_func ("/hsts/delete", do_hsts_delete_test);
@@ -496,7 +500,6 @@ main (int argc, char **argv)
        g_test_add_func ("/hsts/invalid-values", do_hsts_invalid_values_test);
        g_test_add_func ("/hsts/extra-values", do_hsts_extra_values_test);
        g_test_add_func ("/hsts/duplicated-directives", do_hsts_duplicated_directives_test);
-       g_test_add_func ("/hsts/case-insensitive-header", do_hsts_case_insensitive_header_test);
        g_test_add_func ("/hsts/case-insensitive-directives", do_hsts_case_insensitive_directives_test);
        g_test_add_func ("/hsts/optional-quotations", do_hsts_optional_quotations_test);
        g_test_add_func ("/hsts/ip-address", do_hsts_ip_address_test);