25
1
mirror of https://github.com/processone/ejabberd.git synced 2024-11-24 16:23:40 +01:00

Merge pull request #2868 from rstgroup/fix-rfc-6455-violation

Fix #2821 RFC6454 violation on websocket connection when validating Origin
This commit is contained in:
Evgeny Khramtsov 2019-04-24 18:21:58 +03:00 committed by GitHub
commit 5819733de6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -63,15 +63,15 @@
-define(HEADER, [?CT_XML, ?AC_ALLOW_ORIGIN, ?AC_ALLOW_HEADERS]). -define(HEADER, [?CT_XML, ?AC_ALLOW_ORIGIN, ?AC_ALLOW_HEADERS]).
check(_Path, Headers) -> check(_Path, Headers) ->
RequiredHeaders = [{'Upgrade', <<"websocket">>}, HeadersValidators = [{'Upgrade', <<"websocket">>, true},
{'Connection', ignore}, {'Host', ignore}, {'Connection', ignore, true}, {'Host', ignore, true},
{<<"Sec-Websocket-Key">>, ignore}, {<<"Sec-Websocket-Key">>, ignore, true},
{<<"Sec-Websocket-Version">>, <<"13">>}, {<<"Sec-Websocket-Version">>, <<"13">>, true},
{<<"Origin">>, get_origin()}], {<<"Origin">>, get_origin(), false}],
F = fun ({Tag, Val}) -> F = fun ({Tag, Val, Required}) ->
case lists:keyfind(Tag, 1, Headers) of case lists:keyfind(Tag, 1, Headers) of
false -> true; % header not found, keep in list false -> Required; % header not found, keep in list if required
{_, HVal} -> {_, HVal} ->
case Val of case Val of
ignore -> false; % ignore value -> ok, remove from list ignore -> false; % ignore value -> ok, remove from list
@ -82,9 +82,9 @@ check(_Path, Headers) ->
end end
end end
end, end,
case lists:filter(F, RequiredHeaders) of case lists:filter(F, HeadersValidators) of
[] -> true; [] -> true;
_MissingHeaders -> false _InvalidHeaders -> false
end. end.
socket_handoff(LocalPath, #request{method = 'GET', ip = IP, q = Q, path = Path, socket_handoff(LocalPath, #request{method = 'GET', ip = IP, q = Q, path = Path,