Changeset 75461 in webkit

Timestamp:

Jan 10, 2011 6:26:06 PM (13 years ago)

Author:

commit-queue@webkit.org

Message:

2011-01-10 Joe Mason <​jmason@rim.com>

Reviewed by Alexey Proskuryakov.

WebSockets: unbounded buffer growth when server sends bad data
​https://bugs.webkit.org/show_bug.cgi?id=51253

Tests that a websocket handshake should fail after 1024 bytes without a
newline, or if it contains a null byte before the first newline.

• http/tests/websocket/tests/handshake-fail-by-maxlength-expected.txt: Added.
• http/tests/websocket/tests/handshake-fail-by-maxlength.html: Added.
• http/tests/websocket/tests/handshake-fail-by-maxlength_wsh.py: Added.
• http/tests/websocket/tests/handshake-fail-by-prepended-null-expected.txt: Added.
• http/tests/websocket/tests/handshake-fail-by-prepended-null.html: Added.
• http/tests/websocket/tests/handshake-fail-by-prepended-null_wsh.py: Added.

2011-01-10 Joe Mason <​jmason@rim.com>

Reviewed by Alexey Proskuryakov.

WebSockets: unbounded buffer growth when server sends bad data
​https://bugs.webkit.org/show_bug.cgi?id=51253

Fail a websocket handshake after 1024 bytes without a newline, or if it
contains a null byte before the first newline.

Tests: http/tests/websocket/tests/handshake-fail-by-maxlength.html

http/tests/websocket/tests/handshake-fail-by-prepended-null.html

• websockets/WebSocketHandshake.cpp: (WebCore::WebSocketHandshake::readStatusLine):

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/websocket/tests/handshake-fail-by-maxlength-expected.txt (added)
• LayoutTests/http/tests/websocket/tests/handshake-fail-by-maxlength.html (added)
• LayoutTests/http/tests/websocket/tests/handshake-fail-by-maxlength_wsh.py (added)
• LayoutTests/http/tests/websocket/tests/handshake-fail-by-prepended-null-expected.txt (added)
• LayoutTests/http/tests/websocket/tests/handshake-fail-by-prepended-null.html (added)
• LayoutTests/http/tests/websocket/tests/handshake-fail-by-prepended-null_wsh.py (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/websockets/WebSocketHandshake.cpp (modified) (4 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2011-01-10  Joe Mason  <jmason@rim.com>
+
+        Reviewed by Alexey Proskuryakov.
+
+        WebSockets: unbounded buffer growth when server sends bad data
+        https://bugs.webkit.org/show_bug.cgi?id=51253
+
+        Tests that a websocket handshake should fail after 1024 bytes without a
+        newline, or if it contains a null byte before the first newline.
+        
+        * http/tests/websocket/tests/handshake-fail-by-maxlength-expected.txt: Added.
+        * http/tests/websocket/tests/handshake-fail-by-maxlength.html: Added.
+        * http/tests/websocket/tests/handshake-fail-by-maxlength_wsh.py: Added.
+        * http/tests/websocket/tests/handshake-fail-by-prepended-null-expected.txt: Added.
+        * http/tests/websocket/tests/handshake-fail-by-prepended-null.html: Added.
+        * http/tests/websocket/tests/handshake-fail-by-prepended-null_wsh.py: Added.
+
 2011-01-10  Jer Noble  <jer.noble@apple.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2011-01-10  Joe Mason  <jmason@rim.com>
+
+        Reviewed by Alexey Proskuryakov.
+
+        WebSockets: unbounded buffer growth when server sends bad data
+        https://bugs.webkit.org/show_bug.cgi?id=51253
+
+        Fail a websocket handshake after 1024 bytes without a newline, or if it
+        contains a null byte before the first newline.
+
+        Tests: http/tests/websocket/tests/handshake-fail-by-maxlength.html
+               http/tests/websocket/tests/handshake-fail-by-prepended-null.html
+
+        * websockets/WebSocketHandshake.cpp:
+        (WebCore::WebSocketHandshake::readStatusLine):
+
 2011-01-10  Adam Barth  <abarth@webkit.org>
 

trunk/Source/WebCore/websockets/WebSocketHandshake.cpp

@@ -1 +1 @@
 /*
  * Copyright (C) 2009 Google Inc.  All rights reserved.
+ * Copyright (C) Research In Motion Limited 2011. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -428 +429 @@
 int WebSocketHandshake::readStatusLine(const char* header, size_t headerLength, int& statusCode, String& statusText)
 {
+    // Arbitrary size limit to prevent the server from sending an unbounded
+    // amount of data with no newlines and forcing us to buffer it all.
+    static const int maximumLength = 1024;
+
     statusCode = -1;
     statusText = String();
@@ -442 +447 @@
             else if (!space2)
                 space2 = p;
+        } else if (*p == '\0') {
+            // The caller isn't prepared to deal with null bytes in status
+            // line. WebSockets specification doesn't prohibit this, but HTTP
+            // does, so we'll just treat this as an error. 
+            m_context->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, "Status line contains embedded null", 0, clientOrigin());
+            return p + 1 - header;
         } else if (*p == '\n')
             break;
@@ -449 +460 @@
 
     const char* end = p + 1;
-    if (end - header > INT_MAX) {
-        m_context->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, "Status line is too long: " + trimConsoleMessage(header, maxConsoleMessageSize + 1), 0, clientOrigin());
-        return INT_MAX;
+    if (end - header > maximumLength) {
+        m_context->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, "Status line is too long", 0, clientOrigin());
+        return maximumLength;
     }
     int lineLength = end - header;