Perform more stringent checks on request headers so that it should not be possible to get a driver for requests with invalid headers.
This commit is contained in:
James Coglan
+1
-12
@@ -27,19 +27,8 @@ var Driver = {
|
||||
return Server.http.apply(Server, arguments);
|
||||
},
|
||||
|
||||
isSecureRequest: function(request) {
|
||||
return Server.isSecureRequest(request);
|
||||
},
|
||||
|
||||
isWebSocket: function(request) {
|
||||
if (request.method !== 'GET') return false;
|
||||
|
||||
var connection = request.headers.connection || '',
|
||||
upgrade = request.headers.upgrade || '';
|
||||
|
||||
return request.method === 'GET' &&
|
||||
connection.toLowerCase().split(/ *, */).indexOf('upgrade') >= 0 &&
|
||||
upgrade.toLowerCase() === 'websocket';
|
||||
return Server.isWebSocket(request);
|
||||
},
|
||||
|
||||
validateOptions: function(options, validKeys) {
|
||||
|
||||
@@ -71,6 +71,54 @@ var instance = {
|
||||
for (var key in instance)
|
||||
Server.prototype[key] = instance[key];
|
||||
|
||||
Server.http = function(request, options) {
|
||||
options = options || {};
|
||||
if (options.requireMasking === undefined) options.requireMasking = true;
|
||||
|
||||
var klass = this.getDriverClass(request),
|
||||
url = this.determineUrl(request);
|
||||
|
||||
return klass && new klass(request, url, options);
|
||||
};
|
||||
|
||||
Server.isWebSocket = function(request) {
|
||||
var klass = this.getDriverClass(request);
|
||||
return !!klass;
|
||||
};
|
||||
|
||||
Server.getDriverClass = function(request) {
|
||||
var headers = request.headers;
|
||||
|
||||
var connection = headers['connection'] || '',
|
||||
key = headers['sec-websocket-key'],
|
||||
key1 = headers['sec-websocket-key1'],
|
||||
key2 = headers['sec-websocket-key2'],
|
||||
origin = headers['origin'],
|
||||
upgrade = headers['upgrade'] || '',
|
||||
version = headers['sec-websocket-version'];
|
||||
|
||||
if (request.method !== 'GET' ||
|
||||
connection.toLowerCase().split(/ *, */).indexOf('upgrade') < 0 ||
|
||||
upgrade.toLowerCase() !== 'websocket')
|
||||
return null;
|
||||
|
||||
if (typeof version === 'string' || typeof key === 'string')
|
||||
return (version === '13' && key.length > 0) ? Hybi : null;
|
||||
|
||||
if (typeof origin !== 'string' || origin.length === 0)
|
||||
return null;
|
||||
|
||||
if (typeof key1 === 'string' && typeof key2 === 'string')
|
||||
return Draft76;
|
||||
|
||||
return Draft75;
|
||||
};
|
||||
|
||||
Server.determineUrl = function(request) {
|
||||
var scheme = this.isSecureRequest(request) ? 'wss:' : 'ws:';
|
||||
return scheme + '//' + request.headers.host + request.url;
|
||||
};
|
||||
|
||||
Server.isSecureRequest = function(request) {
|
||||
if (request.connection && request.connection.authorized !== undefined) return true;
|
||||
if (request.socket && request.socket.secure) return true;
|
||||
@@ -85,24 +133,4 @@ Server.isSecureRequest = function(request) {
|
||||
return false;
|
||||
};
|
||||
|
||||
Server.determineUrl = function(request) {
|
||||
var scheme = this.isSecureRequest(request) ? 'wss:' : 'ws:';
|
||||
return scheme + '//' + request.headers.host + request.url;
|
||||
};
|
||||
|
||||
Server.http = function(request, options) {
|
||||
options = options || {};
|
||||
if (options.requireMasking === undefined) options.requireMasking = true;
|
||||
|
||||
var headers = request.headers,
|
||||
url = this.determineUrl(request);
|
||||
|
||||
if (headers['sec-websocket-version'])
|
||||
return new Hybi(request, url, options);
|
||||
else if (headers['sec-websocket-key1'])
|
||||
return new Draft76(request, url, options);
|
||||
else
|
||||
return new Draft75(request, url, options);
|
||||
};
|
||||
|
||||
module.exports = Server;
|
||||
|
||||
Reference in New Issue
Block a user