qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] io: fully parse & validate HTTP headers for web

From: Anton Nefedov
Subject: Re: [Qemu-devel] [PATCH] io: fully parse & validate HTTP headers for websocket protocol handshake
Date: Tue, 28 Feb 2017 15:59:25 +0300
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0 
On 02/28/2017 03:07 PM, Daniel P. Berrange wrote:

The current websockets protocol handshake code is very relaxed, just
doing crude string searching across the HTTP header data. This causes
it to both reject valid connections and fail to reject invalid
connections. For example, according to the RFC 6455 it:

 - MUST reject any method other than "GET"
 - MUST reject any HTTP version less than "HTTP/1.1"
 - MUST reject Connection header without "Upgrade" listed
 - MUST reject Upgrade header which is not 'websocket'
 - MUST reject missing Host header
 - MUST treat HTTP header names as case insensitive

To do all this validation correctly requires that we fully parse the
HTTP headers, populating a data structure containing the header
fields.

After this change, we also reject any path other than '/'

Signed-off-by: Daniel P. Berrange <address@hidden>
---


thanks, this works with the client that used to fail
(tornado python lib http://www.tornadoweb.org/en/stable/)


/Anton
reply via email to
[Prev in Thread] Current Thread [Next in Thread]