[Webkit-unassigned] [Bug 32249] WebSocket test server handshake is not strict enough
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Dec 15 23:56:07 PST 2009
https://bugs.webkit.org/show_bug.cgi?id=32249
--- Comment #9 from Yuzo Fujishima <yuzo at google.com> 2009-12-15 23:56:07 PST ---
(In reply to comment #7)
> (From update of attachment 44524 [details])
> > + "--strict",
>
> I don't think this should be an option - why would we want to encourage sloppy
> implementations?
Two reasons:
- pywebsocket is for general (although experimental) use, and
generally speaking, the receiver of data should be lenient.
The order of headers is minor enough to tolerate, in my opinion.
- strict checking is difficult to enforce in the Apache module version
of pywebsocket, and we want to keep the behavior as consistent as
possible.
>
> > +_FIRST_FIVE_LINES = map(re.compile, [
> > + r'^GET [\S]+ HTTP/1.1\r\n$',
>
> The spec also says that path must begin with a slash.
Done.
>
> > +_SIXTH_AND_LATER = re.compile(
> > + r'^'
> > + r'(WebSocket-Protocol: [\x20-\x7e]+\r\n)?'
> > + r'([Cc][Oo][Oo][Kk][Ii][Ee]2?:[^\r]*(\r\n[ \t][^\r]*)*\r\n)?'
> > + r'\r\n')
>
> The Cookie header must also be in the restricted WebSocket form. The spec says
> its semantics matches HTTP, but doesn't say anything special about syntax.
>
> Does this allow having both Cookie and Cookie2 headers in a single request?
Fixed to allow both Cookie and Cookie2 in a same request.
>
> > for c in protocol:
> > - if not 0x21 <= ord(c) <= 0x7e:
> > + if not 0x20 <= ord(c) <= 0x7e:
> > raise HandshakeError('Illegal character in protocol: %r' % c)
>
> I'm confused - bug 32266 has already introduced a test verifying that space is
> allowed in protocol name. How could that possibly work before this change?
The test added by 32266 is currently skipped.
>
> > +_STRICTLY_GOOD_REQUESTS = (
> <...>
> > + ( # Cookie with continuation lines
>
> This shouldn't be allowed - all handshake header fields are subject to
> WebSocket syntax.
Fixed.
>
> > +_NOT_STRICTLY_GOOD_REQUESTS = (
> > + ( # Extra space after GET
> > + 'GET /demo HTTP/1.1\r\n',
> > + 'upgrade: WebSocket\r\n',
>
> Upgrade doesn't have a correct case here.
Good catch. Thank you!
>
> Please also test path without a slash at the beginning.
Added.
>
> > + ( # Origin comes before Host
>
> Please also test incorrect order of Upgrade and Connection
Added.
>
> > + ( # Unknow header
>
> Typo: unknown.
Fixed.
>
> > +# vi:sts=4 sw=4 et
>
> We don't normally allow modelines in WebKit sources.
pywebsocket follows a coding rule different form that of WebKit.
>
> Looks good, thanks for tackling this! I can't deeply review Python code, but it
> looks reasonable to me, too.
Thank you for the review. I'll upload a new patch right after this.
Yuzo
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list