• Daniel P. Berrange's avatar
    io: fully parse & validate HTTP headers for websocket protocol handshake · 07e95cd5
    Daniel P. Berrange authored
    The current websockets protocol handshake code is very relaxed, just
    doing crude string searching across the HTTP header data. This causes
    it to both reject valid connections and fail to reject invalid
    connections. For example, according to the RFC 6455 it:
    
     - MUST reject any method other than "GET"
     - MUST reject any HTTP version less than "HTTP/1.1"
     - MUST reject Connection header without "Upgrade" listed
     - MUST reject Upgrade header which is not 'websocket'
     - MUST reject missing Host header
     - MUST treat HTTP header names as case insensitive
    
    To do all this validation correctly requires that we fully parse the
    HTTP headers, populating a data structure containing the header
    fields.
    
    After this change, we also reject any path other than '/'
    Signed-off-by: 's avatarDaniel P. Berrange <berrange@redhat.com>
    07e95cd5
channel-websock.c 33 KB