Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Websocket response .close() can hang indefinitely #1002

Closed
mpaolini opened this issue Jul 25, 2016 · 6 comments
Closed

Websocket response .close() can hang indefinitely #1002

mpaolini opened this issue Jul 25, 2016 · 6 comments
Labels
good first issue Good for newcomers outdated

Comments

@mpaolini
Copy link
Contributor

Long story short

By looking at this loop in the websockertesponse .close() code it looks like a malicious client can hang the .close() method forever by sending regular messages every 10 seconds.

Expected behaviour

WebSocketResponse .close() should timeout by default after some time.

Actual behaviour

WebSocketResponse .close() can wait indefinitely for a close opcode, provided some other data arrives every 10 seconds.

Steps to reproduce

None yet

Your environment

linux/python35
@asvetlov
Copy link
Member

Good catch! I believe client code has the same loop.

It can be solved by either calculating total elapsed time for closing call or counting amount of loops.

@mpaolini are you interesting in providing a patch?

@mpaolini
Copy link
Contributor Author

@asvetlov yep, I can write one maybe later tonight

@mpaolini
Copy link
Contributor Author

won't have time in the near future (next month or so) for this

@asvetlov
Copy link
Member

Got it

@asvetlov asvetlov added the good first issue Good for newcomers label Aug 14, 2016
achimnol added a commit to achimnol/aiohttp that referenced this issue Aug 15, 2016
@achimnol
Prevent indefinite hang on WebSocket response.close() (aio-libs#1002)
157c136 
 * The close() method now checks the time elapsed since the original
   starting time as well as the timeout for each iteration.

 * Now close() should wait no more than at most twice of the timeout
   given to WebSocketResponse.
@achimnol achimnol mentioned this issue Aug 15, 2016
Merged
3 tasks
asvetlov pushed a commit that referenced this issue Aug 15, 2016
@achimnol @asvetlov
Prevent infinite hang on WebSocket response.close() (#1002) (#1084)
e8f7b6f 
* Prevent indefinite hang on WebSocket response.close() (#1002)

 * The close() method now checks the time elapsed since the original
   starting time as well as the timeout for each iteration.

 * Now close() should wait no more than at most twice of the timeout
   given to WebSocketResponse.

* Fix typo and flake formatting errors.
@asvetlov
Copy link
Member

Fixed by #1084

@achimnol achimnol mentioned this issue Aug 15, 2016
Merged
3 tasks
@asvetlov asvetlov mentioned this issue Sep 26, 2018
Closed
@aio-libs-bot aio-libs-bot mentioned this issue Oct 25, 2018
Closed
@lock
Copy link

lock bot commented Oct 29, 2019

This thread has been automatically locked since there has not been
any recent activity after it was closed. Please open a new issue for
related bugs.

If you feel like there's important points made in this discussion,
please include those exceprts into that new issue.

@lock lock bot added the outdated label Oct 29, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Oct 29, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
good first issue Good for newcomers outdated
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@asvetlov @mpaolini