Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

client validation of websocket upgrade response #3462

Closed
lachlan-roberts opened this issue Mar 14, 2019 · 1 comment
Closed

client validation of websocket upgrade response #3462

lachlan-roberts opened this issue Mar 14, 2019 · 1 comment

Comments

@lachlan-roberts
Copy link
Contributor

the websocket client does not fail websocket connection on receiving an upgrade response which includes an extension which it did not request

RFC6455

If the response includes a |Sec-WebSocket-Extensions| header
field and this header field indicates the use of an extension
that was not present in the client's handshake (the server has
indicated an extension not requested by the client), the client
MUST _Fail the WebSocket Connection_.

https://tools.ietf.org/html/rfc6455#section-4.1

In my testing of #3460 I managed to put an unrequested extension in the upgrade response with no error from the client. This was tested on jetty 10.0.x but may be an issue on 9.4.x as well.
@lachlan-roberts
Copy link
Contributor Author

lachlan-roberts commented Mar 14, 2019
edited
Loading

This seems to be a problem with subprotocol as well, the client will accept a subprotocol which it did not request.

For the sending of the response on the server side the, logic seems to be wrong
https://github.com/eclipse/jetty.project/blob/67838609c3059134c3a3374f3de745f66a2ec6d4/jetty-websocket/websocket-core/src/main/java/org/eclipse/jetty/websocket/core/server/internal/RFC6455Handshaker.java#L155-L175
If there are no requested subprotocols and there is a subprotocol then this is allowing that to be sent.

lachlan-roberts added a commit to lachlan-roberts/jetty.project that referenced this issue Mar 18, 2019
@lachlan-roberts
Issue jetty#3462 - fix client validation of websocket upgrade response
53a4a74 
Signed-off-by: lachan-roberts <lachlan@webtide.com>
lachlan-roberts added a commit to lachlan-roberts/jetty.project that referenced this issue Mar 18, 2019
@lachlan-roberts
Issue jetty#3462 - fix server validation of websocket upgrade response
1a20c8c 
Signed-off-by: lachan-roberts <lachlan@webtide.com>
lachlan-roberts added a commit to lachlan-roberts/jetty.project that referenced this issue Mar 18, 2019
@lachlan-roberts
Issue jetty#3462 - incorrectly setting websocket extensions and subpr…
96027f5 
…otocol

Signed-off-by: lachan-roberts <lachlan@webtide.com>
@lachlan-roberts lachlan-roberts mentioned this issue Mar 19, 2019
Merged
lachlan-roberts added a commit to lachlan-roberts/jetty.project that referenced this issue Mar 19, 2019
@lachlan-roberts
Issue jetty#3462 - parse extensions and subprotocols from headers eve…
cdd3ed9 
…ry time

Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
lachlan-roberts added a commit to lachlan-roberts/jetty.project that referenced this issue Mar 19, 2019
@lachlan-roberts
Issue jetty#3462 - changes from review
7e9700f 
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
gregw added a commit that referenced this issue Mar 19, 2019
@gregw
Merge pull request #3470 from lachlan-roberts/jetty-10.0.x-3462-webso…
f037258 
…cketclient-validation

Issue #3462 - websocket upgrade request valdiation
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@lachlan-roberts