Changeset 52296 in webkit

Timestamp:

Dec 17, 2009 6:38:01 PM (14 years ago)

Author:

ukai@chromium.org

Message:

2009-12-17 Yuzo Fujishima <​yuzo@google.com>

Reviewed by Alexey Proskuryakov.

Update pywebsocket to 0.4.5 and make handshake checking stricter
​https://bugs.webkit.org/show_bug.cgi?id=32249

• Scripts/run-webkit-tests:
• pywebsocket/mod_pywebsocket/handshake.py:
• pywebsocket/mod_pywebsocket/memorizingfile.py: Added.
• pywebsocket/mod_pywebsocket/standalone.py:
• pywebsocket/setup.py:
• pywebsocket/test/test_handshake.py:
• pywebsocket/test/test_memorizingfile.py: Added.

Location:

trunk/WebKitTools

Files:

• ChangeLog (modified) (1 diff)
• Scripts/run-webkit-tests (modified) (1 diff)
• pywebsocket/mod_pywebsocket/handshake.py (modified) (8 diffs)
• pywebsocket/mod_pywebsocket/memorizingfile.py (copied) (copied from trunk/WebKitTools/pywebsocket/setup.py) (1 diff)
• pywebsocket/mod_pywebsocket/standalone.py (modified) (6 diffs)
• pywebsocket/setup.py (modified) (1 diff)
• pywebsocket/test/test_handshake.py (modified) (3 diffs)
• pywebsocket/test/test_memorizingfile.py (copied) (copied from trunk/WebKitTools/pywebsocket/setup.py) (1 diff)

trunk/WebKitTools/ChangeLog

@@ +1 @@
+2009-12-17  Yuzo Fujishima  <yuzo@google.com>
+
+        Reviewed by Alexey Proskuryakov.
+
+        Update pywebsocket to 0.4.5 and make handshake checking stricter
+        https://bugs.webkit.org/show_bug.cgi?id=32249
+
+        * Scripts/run-webkit-tests:
+        * pywebsocket/mod_pywebsocket/handshake.py:
+        * pywebsocket/mod_pywebsocket/memorizingfile.py: Added.
+        * pywebsocket/mod_pywebsocket/standalone.py:
+        * pywebsocket/setup.py:
+        * pywebsocket/test/test_handshake.py:
+        * pywebsocket/test/test_memorizingfile.py: Added.
+
 2009-12-17  Eric Seidel  <eric@webkit.org>
 

trunk/WebKitTools/Scripts/run-webkit-tests

@@ -1456 +1456 @@
         "-s", "$webSocketHandlerScanDir",
         "-l", "$logFile",
+        "--strict",
     );
     # wss is disabled until all platforms support pyOpenSSL.

trunk/WebKitTools/pywebsocket/mod_pywebsocket/handshake.py

@@ -40 +40 @@
 import re
 
+import util
+
 
 _DEFAULT_WEB_SOCKET_PORT = 80
@@ -45 +47 @@
 _WEB_SOCKET_SCHEME = 'ws'
 _WEB_SOCKET_SECURE_SCHEME = 'wss'
-
-_METHOD_LINE = re.compile(r'^GET ([^ ]+) HTTP/1.1\r\n$')
 
 _MANDATORY_HEADERS = [
@@ -56 +56 @@
 ]
 
+_FIRST_FIVE_LINES = map(re.compile, [
+    r'^GET /[\S]+ HTTP/1.1\r\n$',
+    r'^Upgrade: WebSocket\r\n$',
+    r'^Connection: Upgrade\r\n$',
+    r'^Host: [\S]+\r\n$',
+    r'^Origin: [\S]+\r\n$',
+])
+
+# FIXME: Cookie headers also being in restricted WebSocket syntax.
+_SIXTH_AND_LATER = re.compile(
+    r'^'
+    r'(WebSocket-Protocol: [\x20-\x7e]+\r\n)?'
+    r'([Cc][Oo][Oo][Kk][Ii][Ee]:[^\r]*\r\n)*'
+    r'([Cc][Oo][Oo][Kk][Ii][Ee]2:[^\r]*\r\n)?'
+    r'([Cc][Oo][Oo][Kk][Ii][Ee]:[^\r]*\r\n)*'
+    r'\r\n')
+
+
 
 def _default_port(is_secure):
@@ -76 +94 @@
         raise HandshakeError('Invalid WebSocket-Protocol: empty')
     for c in protocol:
-        if not 0x21 <= ord(c) <= 0x7e:
+        if not 0x20 <= ord(c) <= 0x7e:
             raise HandshakeError('Illegal character in protocol: %r' % c)
 
@@ -83 +101 @@
     """This class performs Web Socket handshake."""
 
-    def __init__(self, request, dispatcher):
+    def __init__(self, request, dispatcher, strict=False):
         """Construct an instance.
 
@@ -89 +107 @@
             request: mod_python request.
             dispatcher: Dispatcher (dispatch.Dispatcher).
+            strict: Strictly check handshake request. Default: False.
+                If True, request.connection must provide get_memorized_lines
+                method.
 
         Handshaker will add attributes such as ws_resource in performing
@@ -96 +117 @@
         self._request = request
         self._dispatcher = dispatcher
+        self._strict = strict
 
     def do_handshake(self):
@@ -174 +196 @@
                     raise HandshakeError('Illegal value for header %s: %s' %
                                          (key, actual_value))
+        if self._strict:
+            try:
+                lines = self._request.connection.get_memorized_lines()
+            except AttributeError, e:
+                util.prepend_message_to_exception(
+                    'Strict handshake is specified but the connection '
+                    'doesn\'t provide get_memorized_lines()', e)
+                raise
+            self._check_first_lines(lines)
+
+    def _check_first_lines(self, lines):
+        if len(lines) < len(_FIRST_FIVE_LINES):
+            raise HandshakeError('Too few header lines: %d' % len(lines))
+        for line, regexp in zip(lines, _FIRST_FIVE_LINES):
+            if not regexp.search(line):
+                raise HandshakeError('Unexpected header: %r doesn\'t match %r'
+                                     % (line, regexp.pattern))
+        sixth_and_later = ''.join(lines[5:])
+        if not _SIXTH_AND_LATER.search(sixth_and_later):
+            raise HandshakeError('Unexpected header: %r doesn\'t match %r'
+                                 % (sixth_and_later,
+                                    _SIXTH_AND_LATER.pattern))
 
 

trunk/WebKitTools/pywebsocket/mod_pywebsocket/memorizingfile.py

@@ -31 +31 @@
 
 
-"""Set up script for mod_pywebsocket.
+"""Memorizing file.
+
+A memorizing file wraps a file and memorizes lines read by readline.
 """
 
 
-from distutils.core import setup
 import sys
 
 
-_PACKAGE_NAME = 'mod_pywebsocket'
+class MemorizingFile(object):
+    """MemorizingFile wraps a file and memorizes lines read by readline.
 
-if sys.version < '2.3':
-    print >>sys.stderr, '%s requires Python 2.3 or later.' % _PACKAGE_NAME
-    sys.exit(1)
+    Note that data read by other methods are not memorized. This behavior
+    is good enough for memorizing lines SimpleHTTPServer reads before
+    the control reaches WebSocketRequestHandler.
+    """
+    def __init__(self, file_, max_memorized_lines=sys.maxint):
+        """Construct an instance.
 
-setup(author='Yuzo Fujishima',
-      author_email='yuzo@chromium.org',
-      description='Web Socket extension for Apache HTTP Server.',
-      long_description=(
-              'mod_pywebsocket is an Apache HTTP Server extension for '
-              'Web Socket (http://tools.ietf.org/html/'
-              'draft-hixie-thewebsocketprotocol). '
-              'See mod_pywebsocket/__init__.py for more detail.'),
-      license='See COPYING',
-      name=_PACKAGE_NAME,
-      packages=[_PACKAGE_NAME],
-      url='http://code.google.com/p/pywebsocket/',
-      version='0.4.3',
-      )
+        Args:
+            file_: the file object to wrap.
+            max_memorized_lines: the maximum number of lines to memorize.
+                Only the first max_memorized_lines are memorized.
+                Default: sys.maxint. 
+        """
+        self._file = file_
+        self._memorized_lines = []
+        self._max_memorized_lines = max_memorized_lines
+
+    def __getattribute__(self, name):
+        if name in ('_file', '_memorized_lines', '_max_memorized_lines',
+                    'readline', 'get_memorized_lines'):
+            return object.__getattribute__(self, name)
+        return self._file.__getattribute__(name)
+
+    def readline(self):
+        """Override file.readline and memorize the line read."""
+
+        line = self._file.readline()
+        if line and len(self._memorized_lines) < self._max_memorized_lines:
+            self._memorized_lines.append(line)
+        return line
+
+    def get_memorized_lines(self):
+        """Get lines memorized so far."""
+        return self._memorized_lines
 
 

trunk/WebKitTools/pywebsocket/mod_pywebsocket/standalone.py

@@ -76 +76 @@
 import dispatch
 import handshake
+import memorizingfile
 import util
 
@@ -89 +90 @@
 _DEFAULT_LOG_BACKUP_COUNT = 5
 
+# 1024 is practically large enough to contain WebSocket handshake lines.
+_MAX_MEMORIZED_LINES = 1024
 
 def _print_warnings_if_any(dispatcher):
@@ -129 +132 @@
         """Mimic mp_conn.read()."""
         return self._request_handler.rfile.read(length)
+
+    def get_memorized_lines(self):
+        """Get memorized lines."""
+        return self._request_handler.rfile.get_memorized_lines()
 
 
@@ -199 +206 @@
 
         self.connection = self.request
-        self.rfile = socket._fileobject(self.request, 'rb', self.rbufsize)
+        self.rfile = memorizingfile.MemorizingFile(
+                socket._fileobject(self.request, 'rb', self.rbufsize),
+                max_memorized_lines=_MAX_MEMORIZED_LINES)
         self.wfile = socket._fileobject(self.request, 'wb', self.wbufsize)
 
@@ -207 +216 @@
         self._dispatcher = WebSocketRequestHandler.options.dispatcher
         self._print_warnings_if_any()
-        self._handshaker = handshake.Handshaker(self._request,
-                                                self._dispatcher)
+        self._handshaker = handshake.Handshaker(
+                self._request, self._dispatcher,
+                WebSocketRequestHandler.options.strict)
         SimpleHTTPServer.SimpleHTTPRequestHandler.__init__(
                 self, *args, **keywords)
@@ -303 +313 @@
                       default=_DEFAULT_LOG_BACKUP_COUNT,
                       help='Log backup count')
+    parser.add_option('--strict', dest='strict', action='store_true',
+                      default=False, help='Strictly check handshake request')
     options = parser.parse_args()[0]
 

trunk/WebKitTools/pywebsocket/setup.py

@@ -57 +57 @@
       packages=[_PACKAGE_NAME],
       url='http://code.google.com/p/pywebsocket/',
-      version='0.4.3',
+      version='0.4.5',
       )
 

trunk/WebKitTools/pywebsocket/test/test_handshake.py

@@ -215 +215 @@
             'Host':'example.com',
             'Origin':'http://example.com',
-            'WebSocket-Protocol':'illegal protocol',
-        }
+            'WebSocket-Protocol':'illegal\x09protocol',
+        }
+    ),
+)
+
+_STRICTLY_GOOD_REQUESTS = (
+    (
+        'GET /demo HTTP/1.1\r\n',
+        'Upgrade: WebSocket\r\n',
+        'Connection: Upgrade\r\n',
+        'Host: example.com\r\n',
+        'Origin: http://example.com\r\n',
+        '\r\n',
+    ),
+    (  # WebSocket-Protocol
+        'GET /demo HTTP/1.1\r\n',
+        'Upgrade: WebSocket\r\n',
+        'Connection: Upgrade\r\n',
+        'Host: example.com\r\n',
+        'Origin: http://example.com\r\n',
+        'WebSocket-Protocol: sample\r\n',
+        '\r\n',
+    ),
+    (  # WebSocket-Protocol and Cookie
+        'GET /demo HTTP/1.1\r\n',
+        'Upgrade: WebSocket\r\n',
+        'Connection: Upgrade\r\n',
+        'Host: example.com\r\n',
+        'Origin: http://example.com\r\n',
+        'WebSocket-Protocol: sample\r\n',
+        'Cookie: xyz\r\n'
+        '\r\n',
+    ),
+    (  # Cookie
+        'GET /demo HTTP/1.1\r\n',
+        'Upgrade: WebSocket\r\n',
+        'Connection: Upgrade\r\n',
+        'Host: example.com\r\n',
+        'Origin: http://example.com\r\n',
+        'Cookie: abc/xyz\r\n'
+        'Cookie2: $Version=1\r\n'
+        'Cookie: abc\r\n'
+        '\r\n',
+    ),
+)
+
+_NOT_STRICTLY_GOOD_REQUESTS = (
+    (  # Extra space after GET
+        'GET  /demo HTTP/1.1\r\n',
+        'Upgrade: WebSocket\r\n',
+        'Connection: Upgrade\r\n',
+        'Host: example.com\r\n',
+        'Origin: http://example.com\r\n',
+        '\r\n',
+    ),
+    (  # Resource name doesn't stat with '/'
+        'GET demo HTTP/1.1\r\n',
+        'Upgrade: WebSocket\r\n',
+        'Connection: Upgrade\r\n',
+        'Host: example.com\r\n',
+        'Origin: http://example.com\r\n',
+        '\r\n',
+    ),
+    (  # No space after :
+        'GET /demo HTTP/1.1\r\n',
+        'Upgrade:WebSocket\r\n',
+        'Connection: Upgrade\r\n',
+        'Host: example.com\r\n',
+        'Origin: http://example.com\r\n',
+        '\r\n',
+    ),
+    (  # Lower case Upgrade header
+        'GET /demo HTTP/1.1\r\n',
+        'upgrade: WebSocket\r\n',
+        'Connection: Upgrade\r\n',
+        'Host: example.com\r\n',
+        'Origin: http://example.com\r\n',
+        '\r\n',
+    ),
+    (  # Connection comes before Upgrade
+        'GET /demo HTTP/1.1\r\n',
+        'Connection: Upgrade\r\n',
+        'Upgrade: WebSocket\r\n',
+        'Host: example.com\r\n',
+        'Origin: http://example.com\r\n',
+        '\r\n',
+    ),
+    (  # Origin comes before Host
+        'GET /demo HTTP/1.1\r\n',
+        'Upgrade: WebSocket\r\n',
+        'Connection: Upgrade\r\n',
+        'Origin: http://example.com\r\n',
+        'Host: example.com\r\n',
+        '\r\n',
+    ),
+    (  # Host continued to the next line
+        'GET /demo HTTP/1.1\r\n',
+        'Upgrade: WebSocket\r\n',
+        'Connection: Upgrade\r\n',
+        'Host: example\r\n',
+        ' .com\r\n',
+        'Origin: http://example.com\r\n',
+        '\r\n',
+    ),
+    ( # Cookie comes before WebSocket-Protocol
+        'GET /demo HTTP/1.1\r\n',
+        'Upgrade: WebSocket\r\n',
+        'Connection: Upgrade\r\n',
+        'Host: example.com\r\n',
+        'Origin: http://example.com\r\n',
+        'Cookie: xyz\r\n'
+        'WebSocket-Protocol: sample\r\n',
+        '\r\n',
+    ),
+    (  # Unknown header
+        'GET /demo HTTP/1.1\r\n',
+        'Upgrade: WebSocket\r\n',
+        'Connection: Upgrade\r\n',
+        'Host: example.com\r\n',
+        'Origin: http://example.com\r\n',
+        'Content-Type: text/html\r\n'
+        '\r\n',
+    ),
+    (  # Cookie with continuation lines
+        'GET /demo HTTP/1.1\r\n',
+        'Upgrade: WebSocket\r\n',
+        'Connection: Upgrade\r\n',
+        'Host: example.com\r\n',
+        'Origin: http://example.com\r\n',
+        'Cookie: xyz\r\n',
+        ' abc\r\n',
+        ' defg\r\n',
+        '\r\n',
     ),
 )
@@ -230 +361 @@
 
 
+def _create_get_memorized_lines(lines):
+    def get_memorized_lines():
+        return lines
+    return get_memorized_lines
+
+
+def _create_requests_with_lines(request_lines_set):
+    requests = []
+    for lines in request_lines_set:
+        request = _create_request(_GOOD_REQUEST)
+        request.connection.get_memorized_lines = _create_get_memorized_lines(
+                lines)
+        requests.append(request)
+    return requests
+
+
 class HandshakerTest(unittest.TestCase):
     def test_validate_protocol(self):
         handshake._validate_protocol('sample')  # should succeed.
         handshake._validate_protocol('Sample')  # should succeed.
+        handshake._validate_protocol('sample\x20protocol')  # should succeed.
+        handshake._validate_protocol('sample\x7eprotocol')  # should succeed.
         self.assertRaises(handshake.HandshakeError,
                           handshake._validate_protocol,
-                          'sample protocol')
+                          '')
+        self.assertRaises(handshake.HandshakeError,
+                          handshake._validate_protocol,
+                          'sample\x19protocol')
+        self.assertRaises(handshake.HandshakeError,
+                          handshake._validate_protocol,
+                          'sample\x7fprotocol')
         self.assertRaises(handshake.HandshakeError,
                           handshake._validate_protocol,
@@ -309 +464 @@
             self.assertRaises(handshake.HandshakeError, handshaker.do_handshake)
 
+    def test_strictly_good_requests(self):
+        for request in _create_requests_with_lines(_STRICTLY_GOOD_REQUESTS):
+            strict_handshaker = handshake.Handshaker(request,
+                                                     mock.MockDispatcher(),
+                                                     True)
+            strict_handshaker.do_handshake()
+
+    def test_not_strictly_good_requests(self):
+        for request in _create_requests_with_lines(_NOT_STRICTLY_GOOD_REQUESTS):
+            strict_handshaker = handshake.Handshaker(request,
+                                                     mock.MockDispatcher(),
+                                                     True)
+            self.assertRaises(handshake.HandshakeError,
+                              strict_handshaker.do_handshake)
+
+
 
 if __name__ == '__main__':

trunk/WebKitTools/pywebsocket/test/test_memorizingfile.py

@@ -31 +31 @@
 
 
-"""Set up script for mod_pywebsocket.
-"""
+"""Tests for memorizingfile module."""
 
 
-from distutils.core import setup
-import sys
+import StringIO
+import unittest
+
+import config  # This must be imported before mod_pywebsocket.
+from mod_pywebsocket import memorizingfile
 
 
-_PACKAGE_NAME = 'mod_pywebsocket'
+class UtilTest(unittest.TestCase):
+    def check(self, memorizing_file, num_read, expected_list):
+        for unused in range(num_read):
+            memorizing_file.readline()
+        actual_list = memorizing_file.get_memorized_lines()
+        self.assertEqual(len(expected_list), len(actual_list))
+        for expected, actual in zip(expected_list, actual_list):
+            self.assertEqual(expected, actual)
 
-if sys.version < '2.3':
-    print >>sys.stderr, '%s requires Python 2.3 or later.' % _PACKAGE_NAME
-    sys.exit(1)
+    def test_get_memorized_lines(self):
+        memorizing_file = memorizingfile.MemorizingFile(StringIO.StringIO(
+                'Hello\nWorld\nWelcome'))
+        self.check(memorizing_file, 3, ['Hello\n', 'World\n', 'Welcome'])
 
-setup(author='Yuzo Fujishima',
-      author_email='yuzo@chromium.org',
-      description='Web Socket extension for Apache HTTP Server.',
-      long_description=(
-              'mod_pywebsocket is an Apache HTTP Server extension for '
-              'Web Socket (http://tools.ietf.org/html/'
-              'draft-hixie-thewebsocketprotocol). '
-              'See mod_pywebsocket/__init__.py for more detail.'),
-      license='See COPYING',
-      name=_PACKAGE_NAME,
-      packages=[_PACKAGE_NAME],
-      url='http://code.google.com/p/pywebsocket/',
-      version='0.4.3',
-      )
+    def test_get_memorized_lines_limit_memorized_lines(self):
+        memorizing_file = memorizingfile.MemorizingFile(StringIO.StringIO(
+                'Hello\nWorld\nWelcome'), 2)
+        self.check(memorizing_file, 3, ['Hello\n', 'World\n'])
+
+    def test_get_memorized_lines_empty_file(self):
+        memorizing_file = memorizingfile.MemorizingFile(StringIO.StringIO(
+                ''))
+        self.check(memorizing_file, 10, [])
+
+
+if __name__ == '__main__':
+    unittest.main()