mirror of
https://github.com/ergochat/ergo.git
synced 2024-11-25 13:29:27 +01:00
fix a DoS against websocket clients
I assumed gorilla validated UTF8 for incoming text messages. In fact, the documentation states: >It is the application's responsibility to ensure that text messages >are valid UTF-8 encoded text. and this applies to both incoming and outgoing messages. Consequently, even when enforce-utf8 is enabled, it was possible to send invalid UTF8 to Ergo inside a websocket text frame. This data would be incorrectly considered valid UTF8, and could be relayed to other clients, including to websocket clients inside a text frame. The resulting frame would violate the websocket protocol, causing web clients to be disconnected.
This commit is contained in:
parent
1e1acdae21
commit
9589d019cb
@ -128,9 +128,9 @@ func (wc IRCWSConn) WriteLines(buffers [][]byte) (err error) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (wc IRCWSConn) ReadLine() (line []byte, err error) {
|
func (wc IRCWSConn) ReadLine() (line []byte, err error) {
|
||||||
messageType, line, err := wc.conn.ReadMessage()
|
_, line, err = wc.conn.ReadMessage()
|
||||||
if err == nil {
|
if err == nil {
|
||||||
if messageType == websocket.BinaryMessage && !utf8.Valid(line) {
|
if !utf8.Valid(line) {
|
||||||
return line, errInvalidUtf8
|
return line, errInvalidUtf8
|
||||||
}
|
}
|
||||||
return line, nil
|
return line, nil
|
||||||
|
Loading…
Reference in New Issue
Block a user