From 9589d019cb54482d11607963d7797e79b8412fb8 Mon Sep 17 00:00:00 2001 From: Shivaram Lingamneni Date: Sun, 22 Jan 2023 14:54:37 -0500 Subject: [PATCH] fix a DoS against websocket clients I assumed gorilla validated UTF8 for incoming text messages. In fact, the documentation states: >It is the application's responsibility to ensure that text messages >are valid UTF-8 encoded text. and this applies to both incoming and outgoing messages. Consequently, even when enforce-utf8 is enabled, it was possible to send invalid UTF8 to Ergo inside a websocket text frame. This data would be incorrectly considered valid UTF8, and could be relayed to other clients, including to websocket clients inside a text frame. The resulting frame would violate the websocket protocol, causing web clients to be disconnected. --- irc/ircconn.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/irc/ircconn.go b/irc/ircconn.go index 088909a2..a6f391d3 100644 --- a/irc/ircconn.go +++ b/irc/ircconn.go @@ -128,9 +128,9 @@ func (wc IRCWSConn) WriteLines(buffers [][]byte) (err error) { } func (wc IRCWSConn) ReadLine() (line []byte, err error) { - messageType, line, err := wc.conn.ReadMessage() + _, line, err = wc.conn.ReadMessage() if err == nil { - if messageType == websocket.BinaryMessage && !utf8.Valid(line) { + if !utf8.Valid(line) { return line, errInvalidUtf8 } return line, nil