mirror of
https://github.com/ergochat/ergo.git
synced 2024-11-21 19:39:43 +01:00
fix a DoS against websocket clients
I assumed gorilla validated UTF8 for incoming text messages. In fact, the documentation states: >It is the application's responsibility to ensure that text messages >are valid UTF-8 encoded text. and this applies to both incoming and outgoing messages. Consequently, even when enforce-utf8 is enabled, it was possible to send invalid UTF8 to Ergo inside a websocket text frame. This data would be incorrectly considered valid UTF8, and could be relayed to other clients, including to websocket clients inside a text frame. The resulting frame would violate the websocket protocol, causing web clients to be disconnected.
This commit is contained in:
parent
1e1acdae21
commit
9589d019cb
@ -128,9 +128,9 @@ func (wc IRCWSConn) WriteLines(buffers [][]byte) (err error) {
|
||||
}
|
||||
|
||||
func (wc IRCWSConn) ReadLine() (line []byte, err error) {
|
||||
messageType, line, err := wc.conn.ReadMessage()
|
||||
_, line, err = wc.conn.ReadMessage()
|
||||
if err == nil {
|
||||
if messageType == websocket.BinaryMessage && !utf8.Valid(line) {
|
||||
if !utf8.Valid(line) {
|
||||
return line, errInvalidUtf8
|
||||
}
|
||||
return line, nil
|
||||
|
Loading…
Reference in New Issue
Block a user