From 0cb34c063b5f429ea8b23869f7342b3a4b5db1dd Mon Sep 17 00:00:00 2001
From: Pankaj Kumar Bind <pankajbind30@gmail.com>
Date: Wed, 13 Aug 2025 20:19:25 +0530
Subject: [PATCH 1/2] fix: Add validation for WebSocket subprotocols

---
 daphne/ws_protocol.py   |  2 ++
 tests/test_websocket.py | 10 +++++++++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/daphne/ws_protocol.py b/daphne/ws_protocol.py
index b1e29c3..b27cde8 100755
--- a/daphne/ws_protocol.py
+++ b/daphne/ws_protocol.py
@@ -71,6 +71,8 @@ class WebSocketProtocol(WebSocketServerProtocol):
                     subprotocols = [
                         x.strip() for x in unquote(value.decode("ascii")).split(",")
                     ]
+                    if not all(isinstance(x, str) for x in subprotocols):
+                        raise ValueError("Invalid subprotocol value")
             # Make new application instance with scope
             self.path = request.path.encode("ascii")
             self.application_deferred = defer.maybeDeferred(
diff --git a/tests/test_websocket.py b/tests/test_websocket.py
index 851143c..26b788f 100644
--- a/tests/test_websocket.py
+++ b/tests/test_websocket.py
@@ -138,7 +138,15 @@ class TestWebsocket(DaphneTestCase):
             scope, messages = test_app.get_received()
             self.assert_valid_websocket_scope(scope, subprotocols=subprotocols)
             self.assert_valid_websocket_connect_message(messages[0])
-
+    def test_invalid_subprotocols(self):
+        """
+        Tests that the server rejects connections with invalid subprotocols.
+        """
+        with DaphneTestingInstance() as test_app:
+            test_app.add_send_messages([{"type": "websocket.accept"}])
+            with self.assertRaises(TypeError):
+                self.websocket_handshake(test_app, subprotocols=[1, 2])
+                
     def test_xff(self):
         """
         Tests that X-Forwarded-For headers get parsed right

From 3039fb72dbbca1436dce447b7a16bf60ed415ca9 Mon Sep 17 00:00:00 2001
From: "pre-commit-ci[bot]"
 <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Date: Wed, 13 Aug 2025 14:51:06 +0000
Subject: [PATCH 2/2] [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci
---
 tests/test_websocket.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tests/test_websocket.py b/tests/test_websocket.py
index 26b788f..426eadf 100644
--- a/tests/test_websocket.py
+++ b/tests/test_websocket.py
@@ -138,6 +138,7 @@ class TestWebsocket(DaphneTestCase):
             scope, messages = test_app.get_received()
             self.assert_valid_websocket_scope(scope, subprotocols=subprotocols)
             self.assert_valid_websocket_connect_message(messages[0])
+
     def test_invalid_subprotocols(self):
         """
         Tests that the server rejects connections with invalid subprotocols.
@@ -146,7 +147,7 @@ class TestWebsocket(DaphneTestCase):
             test_app.add_send_messages([{"type": "websocket.accept"}])
             with self.assertRaises(TypeError):
                 self.websocket_handshake(test_app, subprotocols=[1, 2])
-                
+
     def test_xff(self):
         """
         Tests that X-Forwarded-For headers get parsed right