Changeset 75461 in webkit
- Timestamp:
- Jan 10, 2011 6:26:06 PM (13 years ago)
- Location:
- trunk
- Files:
-
- 6 added
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r75450 r75461 1 2011-01-10 Joe Mason <jmason@rim.com> 2 3 Reviewed by Alexey Proskuryakov. 4 5 WebSockets: unbounded buffer growth when server sends bad data 6 https://bugs.webkit.org/show_bug.cgi?id=51253 7 8 Tests that a websocket handshake should fail after 1024 bytes without a 9 newline, or if it contains a null byte before the first newline. 10 11 * http/tests/websocket/tests/handshake-fail-by-maxlength-expected.txt: Added. 12 * http/tests/websocket/tests/handshake-fail-by-maxlength.html: Added. 13 * http/tests/websocket/tests/handshake-fail-by-maxlength_wsh.py: Added. 14 * http/tests/websocket/tests/handshake-fail-by-prepended-null-expected.txt: Added. 15 * http/tests/websocket/tests/handshake-fail-by-prepended-null.html: Added. 16 * http/tests/websocket/tests/handshake-fail-by-prepended-null_wsh.py: Added. 17 1 18 2011-01-10 Jer Noble <jer.noble@apple.com> 2 19 -
trunk/Source/WebCore/ChangeLog
r75455 r75461 1 2011-01-10 Joe Mason <jmason@rim.com> 2 3 Reviewed by Alexey Proskuryakov. 4 5 WebSockets: unbounded buffer growth when server sends bad data 6 https://bugs.webkit.org/show_bug.cgi?id=51253 7 8 Fail a websocket handshake after 1024 bytes without a newline, or if it 9 contains a null byte before the first newline. 10 11 Tests: http/tests/websocket/tests/handshake-fail-by-maxlength.html 12 http/tests/websocket/tests/handshake-fail-by-prepended-null.html 13 14 * websockets/WebSocketHandshake.cpp: 15 (WebCore::WebSocketHandshake::readStatusLine): 16 1 17 2011-01-10 Adam Barth <abarth@webkit.org> 2 18 -
trunk/Source/WebCore/websockets/WebSocketHandshake.cpp
r73939 r75461 1 1 /* 2 2 * Copyright (C) 2009 Google Inc. All rights reserved. 3 * Copyright (C) Research In Motion Limited 2011. All rights reserved. 3 4 * 4 5 * Redistribution and use in source and binary forms, with or without … … 428 429 int WebSocketHandshake::readStatusLine(const char* header, size_t headerLength, int& statusCode, String& statusText) 429 430 { 431 // Arbitrary size limit to prevent the server from sending an unbounded 432 // amount of data with no newlines and forcing us to buffer it all. 433 static const int maximumLength = 1024; 434 430 435 statusCode = -1; 431 436 statusText = String(); … … 442 447 else if (!space2) 443 448 space2 = p; 449 } else if (*p == '\0') { 450 // The caller isn't prepared to deal with null bytes in status 451 // line. WebSockets specification doesn't prohibit this, but HTTP 452 // does, so we'll just treat this as an error. 453 m_context->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, "Status line contains embedded null", 0, clientOrigin()); 454 return p + 1 - header; 444 455 } else if (*p == '\n') 445 456 break; … … 449 460 450 461 const char* end = p + 1; 451 if (end - header > INT_MAX) {452 m_context->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, "Status line is too long : " + trimConsoleMessage(header, maxConsoleMessageSize + 1), 0, clientOrigin());453 return INT_MAX;462 if (end - header > maximumLength) { 463 m_context->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, "Status line is too long", 0, clientOrigin()); 464 return maximumLength; 454 465 } 455 466 int lineLength = end - header;
Note: See TracChangeset
for help on using the changeset viewer.