🐛 fix(cache): detect directives with OWS and value params

nickzerjeski · nickzerjeski · commit 01b657427dbb · 2026-04-13T10:26:48.000+02:00
diff --git a/middleware/cache/cache.go b/middleware/cache/cache.go
@@ -907,21 +907,41 @@ func New(config ...Config) fiber.Handler {
 
 // hasDirective checks if a cache-control header contains a directive (case-insensitive)
 func hasDirective(cc, directive string) bool {
-	ccLen := len(cc)
-	dirLen := len(directive)
-	for i := 0; i <= ccLen-dirLen; i++ {
-		if !utils.EqualFold(cc[i:i+dirLen], directive) {
-			continue
+	start := 0
+	for start < len(cc) {
+		end := start
+		for end < len(cc) && cc[end] != ',' {
+			end++
 		}
-		if i > 0 {
-			prev := cc[i-1]
-			if prev != ' ' && prev != ',' {
-				continue
-			}
+
+		partStart, partEnd := start, end
+		for partStart < partEnd && (cc[partStart] == ' ' || cc[partStart] == '\t') {
+			partStart++
 		}
-		if i+dirLen == ccLen || cc[i+dirLen] == ',' {
-			return true
+		for partEnd > partStart && (cc[partEnd-1] == ' ' || cc[partEnd-1] == '\t') {
+			partEnd--
 		}
+
+		if partStart < partEnd {
+			keyEnd := partStart
+			for keyEnd < partEnd && cc[keyEnd] != '=' {
+				keyEnd++
+			}
+
+			keyStart := partStart
+			for keyStart < keyEnd && (cc[keyStart] == ' ' || cc[keyStart] == '\t') {
+				keyStart++
+			}
+			for keyEnd > keyStart && (cc[keyEnd-1] == ' ' || cc[keyEnd-1] == '\t') {
+				keyEnd--
+			}
+
+			if keyStart < keyEnd && utils.EqualFold(cc[keyStart:keyEnd], directive) {
+				return true
+			}
+		}
+
+		start = end + 1
 	}
 
 	return false
diff --git a/middleware/cache/cache_test.go b/middleware/cache/cache_test.go
@@ -3046,6 +3046,35 @@ func Test_AllowsSharedCache(t *testing.T) {
 	})
 }
 
+func Test_HasDirective(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		header    string
+		directive string
+		expect    bool
+	}{
+		{header: "no-cache", directive: "no-cache", expect: true},
+		{header: "NO-CACHE", directive: "no-cache", expect: true},
+		{header: "no-cache ", directive: "no-cache", expect: true},
+		{header: "no-cache\t", directive: "no-cache", expect: true},
+		{header: "no-cache=\"Set-Cookie\"", directive: "no-cache", expect: true},
+		{header: "private ", directive: "private", expect: true},
+		{header: "public, private ", directive: "private", expect: true},
+		{header: "my-no-cache", directive: "no-cache", expect: false},
+		{header: "private-ish", directive: "private", expect: false},
+	}
+
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.header+"_"+tt.directive, func(t *testing.T) {
+			t.Parallel()
+			got := hasDirective(tt.header, tt.directive)
+			require.Equal(t, tt.expect, got)
+		})
+	}
+}
+
 func TestCacheSkipsAuthorizationByDefault(t *testing.T) {
 	t.Parallel()
 
