3
0
mirror of https://github.com/ergochat/ergo.git synced 2024-11-22 03:49:27 +01:00

fix a DoS against websocket clients

I assumed gorilla validated UTF8 for incoming text messages. In fact, the
documentation states:

>It is the application's responsibility to ensure that text messages
>are valid UTF-8 encoded text.

and this applies to both incoming and outgoing messages. Consequently,
even when enforce-utf8 is enabled, it was possible to send invalid UTF8
to Ergo inside a websocket text frame. This data would be incorrectly
considered valid UTF8, and could be relayed to other clients, including
to websocket clients inside a text frame. The resulting frame would violate
the websocket protocol, causing web clients to be disconnected.
This commit is contained in:
Shivaram Lingamneni 2023-01-22 14:54:37 -05:00
parent 1e1acdae21
commit 9589d019cb

View File

@ -128,9 +128,9 @@ func (wc IRCWSConn) WriteLines(buffers [][]byte) (err error) {
} }
func (wc IRCWSConn) ReadLine() (line []byte, err error) { func (wc IRCWSConn) ReadLine() (line []byte, err error) {
messageType, line, err := wc.conn.ReadMessage() _, line, err = wc.conn.ReadMessage()
if err == nil { if err == nil {
if messageType == websocket.BinaryMessage && !utf8.Valid(line) { if !utf8.Valid(line) {
return line, errInvalidUtf8 return line, errInvalidUtf8
} }
return line, nil return line, nil