Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reject invalid "Sec-WebSocket-Key" headers from clients #360

Merged
merged 5 commits into from Oct 19, 2023
Merged

Reject invalid "Sec-WebSocket-Key" headers from clients #360

merged 5 commits into from Oct 19, 2023

Conversation

Emyrk
Copy link
Contributor

@Emyrk Emyrk commented Dec 20, 2022

Client "Sec-WebSocket-Key" should be a valid 16 byte base64 encoded nonce. If the header is not valid, the server should reject the client.

@Emyrk Emyrk requested a review from nhooyr as a code owner December 20, 2022 20:17
@Emyrk
Copy link
Contributor Author

Emyrk commented Dec 20, 2022

@nhooyr this was brought up by a security consultant. Would be great to get this in so we do not need to handle this at a layer above the websocket library.

@dprotaso dprotaso mentioned this pull request May 11, 2023
Closed
@nhooyr nhooyr added this to the v1.8.8 milestone Oct 13, 2023
@nhooyr nhooyr changed the base branch from master to dev October 14, 2023 13:15
nhooyr
nhooyr reviewed Oct 14, 2023
View reviewed changes
Copy link
Owner

@nhooyr nhooyr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will get this in for v1.8.8. But I need to mention that it was entirely intentional on my end as it's a useless check mandated by the RFC. This isn't a security issue whatsoever and so I decided to ignore the RFC here and not waste CPU cycles on checking. But I can understand that as this library gets more usage it's important to stick to the letter of the RFC to satisfy consultants and process.

Also for anyone testing their websocket implementation against my own, it's good to error here as other libraries may not be flexible.

@nhooyr
Copy link
Owner

nhooyr commented Oct 14, 2023

Will fix the merge conflicts myself.

@nhooyr nhooyr merged commit 10137fa into nhooyr:dev Oct 19, 2023
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nhooyr nhooyr nhooyr approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.8.8
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@Emyrk @nhooyr