Perform more stringent checks on request headers so that it should not be possible to get a driver for requests with invalid headers.

.gitignore

@@ -1,2 +1 @@
 node_modules
-package-lock.json

.travis.yml

@@ -10,10 +10,6 @@ node_js:
   - "6"
   - "7"
   - "8"
-  - "9"
-  - "10"
-  - "11"
-  - "12"
 
 before_install:
   - '[ "${TRAVIS_NODE_VERSION}" = "0.8" ] && npm install -g npm@~1.4.0 || true'

CHANGELOG.md

@@ -1,136 +1,115 @@
-### 0.7.3 / 2019-06-13
-
-- Cap version of http-parser-js below 0.4.11, which introduced a bug that
-  prevents us from handling messages that are part of the same input buffer as
-  the handshake response if chunked encoding is specified
-
-### 0.7.2 / 2019-06-13
-
-(This version was pulled due to an error when publishing)
-
-### 0.7.1 / 2019-06-10
-
-- Catch any exceptions produced while generating a handshake response and send a
-  `400 Bad Request` response to the client
-- Pick the RFC-6455 protocol version if the request contains any of the headers
-  used by that version
-- Use the `Buffer.alloc()` and `Buffer.from()` functions instead of the unsafe
-  `Buffer()` constructor
-- Handle errors encountered while handling malformed draft-76 requests
-- Change license from MIT to Apache 2.0
-
 ### 0.7.0 / 2017-09-11
 
-- Add `ping` and `pong` to the set of events users can listen to
-- Replace the bindings to Node's HTTP parser with `http-parser-js`
+* Add `ping` and `pong` to the set of events users can listen to
+* Replace the bindings to Node's HTTP parser with `http-parser-js`
 
 ### 0.6.5 / 2016-05-20
 
-- Don't mutate buffers passed in by the application when masking
+* Don't mutate buffers passed in by the application when masking
 
 ### 0.6.4 / 2016-01-07
 
-- If a number is given as input for a frame payload, send it as a string
+* If a number is given as input for a frame payload, send it as a string
 
 ### 0.6.3 / 2015-11-06
 
-- Reject draft-76 handshakes if their Sec-WebSocket-Key headers are invalid
-- Throw a more helpful error if a client is created with an invalid URL
+* Reject draft-76 handshakes if their Sec-WebSocket-Key headers are invalid
+* Throw a more helpful error if a client is created with an invalid URL
 
 ### 0.6.2 / 2015-07-18
 
-- When the peer sends a close frame with no error code, emit 1000
+* When the peer sends a close frame with no error code, emit 1000
 
 ### 0.6.1 / 2015-07-13
 
-- Use the `buffer.{read,write}UInt{16,32}BE` methods for reading/writing numbers
+* Use the `buffer.{read,write}UInt{16,32}BE` methods for reading/writing numbers
   to buffers rather than including duplicate logic for this
 
 ### 0.6.0 / 2015-07-08
 
-- Allow the parser to recover cleanly if event listeners raise an error
-- Add a `pong` method for sending unsolicited pong frames
+* Allow the parser to recover cleanly if event listeners raise an error
+* Add a `pong` method for sending unsolicited pong frames
 
 ### 0.5.4 / 2015-03-29
 
-- Don't emit extra close frames if we receive a close frame after we already
+* Don't emit extra close frames if we receive a close frame after we already
   sent one
-- Fail the connection when the driver receives an invalid
+* Fail the connection when the driver receives an invalid
   `Sec-WebSocket-Extensions` header
 
 ### 0.5.3 / 2015-02-22
 
-- Don't treat incoming data as WebSocket frames if a client driver is closed
+* Don't treat incoming data as WebSocket frames if a client driver is closed
   before receiving the server handshake
 
 ### 0.5.2 / 2015-02-19
 
-- Fix compatibility with the HTTP parser on io.js
-- Use `websocket-extensions` to make sure messages and close frames are kept in
+* Fix compatibility with the HTTP parser on io.js
+* Use `websocket-extensions` to make sure messages and close frames are kept in
   order
-- Don't emit multiple `error` events
+* Don't emit multiple `error` events
 
 ### 0.5.1 / 2014-12-18
 
-- Don't allow drivers to be created with unrecognized options
+* Don't allow drivers to be created with unrecognized options
 
 ### 0.5.0 / 2014-12-13
 
-- Support protocol extensions via the websocket-extensions module
+* Support protocol extensions via the websocket-extensions module
 
 ### 0.4.0 / 2014-11-08
 
-- Support connection via HTTP proxies using `CONNECT`
+* Support connection via HTTP proxies using `CONNECT`
 
 ### 0.3.6 / 2014-10-04
 
-- It is now possible to call `close()` before `start()` and close the driver
+* It is now possible to call `close()` before `start()` and close the driver
 
 ### 0.3.5 / 2014-07-06
 
-- Don't hold references to frame buffers after a message has been emitted
-- Make sure that `protocol` and `version` are exposed properly by the TCP driver
+* Don't hold references to frame buffers after a message has been emitted
+* Make sure that `protocol` and `version` are exposed properly by the TCP driver
 
 ### 0.3.4 / 2014-05-08
 
-- Don't hold memory-leaking references to I/O buffers after they have been
+* Don't hold memory-leaking references to I/O buffers after they have been
   parsed
 
 ### 0.3.3 / 2014-04-24
 
-- Correct the draft-76 status line reason phrase
+* Correct the draft-76 status line reason phrase
 
 ### 0.3.2 / 2013-12-29
 
-- Expand `maxLength` to cover sequences of continuation frames and
+* Expand `maxLength` to cover sequences of continuation frames and
   `draft-{75,76}`
-- Decrease default maximum frame buffer size to 64MB
-- Stop parsing when the protocol enters a failure mode, to save CPU cycles
+* Decrease default maximum frame buffer size to 64MB
+* Stop parsing when the protocol enters a failure mode, to save CPU cycles
 
 ### 0.3.1 / 2013-12-03
 
-- Add a `maxLength` option to limit allowed frame size
-- Don't pre-allocate a message buffer until the whole frame has arrived
-- Fix compatibility with Node v0.11 `HTTPParser`
+* Add a `maxLength` option to limit allowed frame size
+* Don't pre-allocate a message buffer until the whole frame has arrived
+* Fix compatibility with Node v0.11 `HTTPParser`
 
 ### 0.3.0 / 2013-09-09
 
-- Support client URLs with Basic Auth credentials
+* Support client URLs with Basic Auth credentials
 
 ### 0.2.2 / 2013-07-05
 
-- No functional changes, just updates to package.json
+* No functional changes, just updates to package.json
 
 ### 0.2.1 / 2013-05-17
 
-- Export the isSecureRequest() method since faye-websocket relies on it
-- Queue sent messages in the client's initial state
+* Export the isSecureRequest() method since faye-websocket relies on it
+* Queue sent messages in the client's initial state
 
 ### 0.2.0 / 2013-05-12
 
-- Add API for setting and reading headers
-- Add Driver.server() method for getting a driver for TCP servers
+* Add API for setting and reading headers
+* Add Driver.server() method for getting a driver for TCP servers
 
 ### 0.1.0 / 2013-05-04
 
-- First stable release
+* First stable release

LICENSE.md

@@ -1,12 +1,20 @@
-Copyright 2010-2019 James Coglan
+# The MIT License
 
-Licensed under the Apache License, Version 2.0 (the "License"); you may not use
-this file except in compliance with the License. You may obtain a copy of the
-License at
+Copyright (c) 2010-2017 James Coglan
 
-    http://www.apache.org/licenses/LICENSE-2.0
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the 'Software'), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
 
-Unless required by applicable law or agreed to in writing, software distributed
-under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
-CONDITIONS OF ANY KIND, either express or implied. See the License for the
-specific language governing permissions and limitations under the License.
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

README.md

@@ -10,21 +10,21 @@ pluggable I/O.
 Due to this design, you get a lot of things for free. In particular, if you hook
 this module up to some I/O object, it will do all of this for you:
 
-- Select the correct server-side driver to talk to the client
-- Generate and send both server- and client-side handshakes
-- Recognize when the handshake phase completes and the WS protocol begins
-- Negotiate subprotocol selection based on `Sec-WebSocket-Protocol`
-- Negotiate and use extensions via the
+* Select the correct server-side driver to talk to the client
+* Generate and send both server- and client-side handshakes
+* Recognize when the handshake phase completes and the WS protocol begins
+* Negotiate subprotocol selection based on `Sec-WebSocket-Protocol`
+* Negotiate and use extensions via the
   [websocket-extensions](https://github.com/faye/websocket-extensions-node)
   module
-- Buffer sent messages until the handshake process is finished
-- Deal with proxies that defer delivery of the draft-76 handshake body
-- Notify you when the socket is open and closed and when messages arrive
-- Recombine fragmented messages
-- Dispatch text, binary, ping, pong and close frames
-- Manage the socket-closing handshake process
-- Automatically reply to ping frames with a matching pong
-- Apply masking to messages sent by the client
+* Buffer sent messages until the handshake process is finished
+* Deal with proxies that defer delivery of the draft-76 handshake body
+* Notify you when the socket is open and closed and when messages arrive
+* Recombine fragmented messages
+* Dispatch text, binary, ping, pong and close frames
+* Manage the socket-closing handshake process
+* Automatically reply to ping frames with a matching pong
+* Apply masking to messages sent by the client
 
 This library was originally extracted from the [Faye](http://faye.jcoglan.com)
 project but now aims to provide simple WebSocket support for any Node-based
@@ -153,8 +153,8 @@ driver.messages.on('data', function(message) {
 Client drivers have two additional properties for reading the HTTP data that was
 sent back by the server:
 
-- `driver.statusCode` - the integer value of the HTTP status code
-- `driver.headers` - an object containing the response headers
+* `driver.statusCode` - the integer value of the HTTP status code
+* `driver.headers` - an object containing the response headers
 
 
 ### HTTP Proxies
@@ -177,7 +177,7 @@ var driver = websocket.client('ws://www.example.com/socket'),
     proxy  = driver.proxy('http://username:password@proxy.example.com'),
     tcp    = net.connect(80, 'proxy.example.com');
 
-tcp.pipe(proxy).pipe(tcp, { end: false });
+tcp.pipe(proxy).pipe(tcp, {end: false});
 
 tcp.on('connect', function() {
   proxy.start();
@@ -235,18 +235,18 @@ masking enabled on outgoing frames.
 The `options` argument is optional, and is an object. It may contain the
 following fields:
 
-- `maxLength` - the maximum allowed size of incoming message frames, in bytes.
+* `maxLength` - the maximum allowed size of incoming message frames, in bytes.
   The default value is `2^26 - 1`, or 1 byte short of 64 MiB.
-- `protocols` - an array of strings representing acceptable subprotocols for use
+* `protocols` - an array of strings representing acceptable subprotocols for use
   over the socket. The driver will negotiate one of these to use via the
   `Sec-WebSocket-Protocol` header if supported by the other peer.
 
 A driver has two duplex streams attached to it:
 
-- **`driver.io`** - this stream should be attached to an I/O socket like a TCP
-  stream. Pipe incoming TCP chunks to this stream for them to be parsed, and
+* <b>`driver.io`</b> - this stream should be attached to an I/O socket like a
+  TCP stream. Pipe incoming TCP chunks to this stream for them to be parsed, and
   pipe this stream back into TCP to send outgoing frames.
-- **`driver.messages`** - this stream emits messages received over the
+* <b>`driver.messages`</b> - this stream emits messages received over the
   WebSocket.  Writing to it sends messages to the other peer by emitting frames
   via the `driver.io` stream.
 

examples/net_client.js

@@ -5,11 +5,11 @@ var net       = require('net'),
     websocket = require('..'),
     deflate   = require('permessage-deflate');
 
-var DEFAULT_PORTS = { 'ws:': 80, 'wss:': 443 };
+var DEFAULT_PORTS = {'ws:': 80, 'wss:': 443};
 
 var uri  = url.parse(process.argv[2]),
     port = uri.port || DEFAULT_PORTS[uri.protocol],
-    conn = net.connect({ host: uri.hostname, port: port });
+    conn = net.connect({host: uri.hostname, port: port});
 
 var driver = websocket.client(uri.href);
 driver.addExtension(deflate);

lib/websocket/driver.js

@@ -1,7 +1,7 @@
 'use strict';
 
 // Protocol references:
-//
+// 
 // * http://tools.ietf.org/html/draft-hixie-thewebsocketprotocol-75
 // * http://tools.ietf.org/html/draft-hixie-thewebsocketprotocol-76
 // * http://tools.ietf.org/html/draft-ietf-hybi-thewebsocketprotocol-17
@@ -27,12 +27,8 @@ var Driver = {
     return Server.http.apply(Server, arguments);
   },
 
-  isSecureRequest: function(request) {
-    return Server.isSecureRequest(request);
-  },
-
   isWebSocket: function(request) {
-    return Base.isWebSocket(request);
+    return Server.isWebSocket(request);
   },
 
   validateOptions: function(options, validKeys) {

lib/websocket/driver/base.js

@@ -1,7 +1,6 @@
 'use strict';
 
-var Buffer  = require('safe-buffer').Buffer,
-    Emitter = require('events').EventEmitter,
+var Emitter = require('events').EventEmitter,
     util    = require('util'),
     streams = require('../streams'),
     Headers = require('./headers'),
@@ -26,15 +25,6 @@ var Base = function(request, url, options) {
 };
 util.inherits(Base, Emitter);
 
-Base.isWebSocket = function(request) {
-  var connection = request.headers.connection || '',
-      upgrade    = request.headers.upgrade || '';
-
-  return request.method === 'GET' &&
-         connection.toLowerCase().split(/ *, */).indexOf('upgrade') >= 0 &&
-         upgrade.toLowerCase() === 'websocket';
-};
-
 Base.validateOptions = function(options, validKeys) {
   for (var key in options) {
     if (validKeys.indexOf(key) < 0)
@@ -89,35 +79,13 @@ var instance = {
 
   start: function() {
     if (this.readyState !== 0) return false;
-
-    if (!Base.isWebSocket(this._request))
-      return this._failHandshake(new Error('Not a WebSocket request'));
-
-    var response;
-
-    try {
-      response = this._handshakeResponse();
-    } catch (error) {
-      return this._failHandshake(error);
-    }
-
+    var response = this._handshakeResponse();
+    if (!response) return false;
     this._write(response);
     if (this._stage !== -1) this._open();
     return true;
   },
 
-  _failHandshake: function(error) {
-    var headers = new Headers();
-    headers.set('Content-Type', 'text/plain');
-    headers.set('Content-Length', Buffer.byteLength(error.message, 'utf8'));
-
-    headers = ['HTTP/1.1 400 Bad Request', headers.toString(), error.message];
-    this._write(Buffer.from(headers.join('\r\n'), 'utf8'));
-    this._fail('protocol_error', error.message);
-
-    return false;
-  },
-
   text: function(message) {
     return this.frame(message);
   },
@@ -156,12 +124,6 @@ var instance = {
   _write: function(chunk) {
     var io = this.io;
     if (io.readable) io.emit('data', chunk);
-  },
-
-  _fail: function(type, message) {
-    this.readyState = 2;
-    this.emit('error', new Error(message));
-    this.close();
   }
 };
 

lib/websocket/driver/client.js

@@ -1,7 +1,6 @@
 'use strict';
 
-var Buffer     = require('safe-buffer').Buffer,
-    crypto     = require('crypto'),
+var crypto     = require('crypto'),
     url        = require('url'),
     util       = require('util'),
     HttpParser = require('../http_parser'),
@@ -10,7 +9,7 @@ var Buffer     = require('safe-buffer').Buffer,
     Proxy      = require('./proxy');
 
 var Client = function(_url, options) {
-  this.version = 'hybi-' + Hybi.VERSION;
+  this.version = 'hybi-13';
   Hybi.call(this, null, _url, options);
 
   this.readyState = -1;
@@ -19,7 +18,7 @@ var Client = function(_url, options) {
   this._http      = new HttpParser('response');
 
   var uri  = url.parse(this.url),
-      auth = uri.auth && Buffer.from(uri.auth, 'utf8').toString('base64');
+      auth = uri.auth && new Buffer(uri.auth, 'utf8').toString('base64');
 
   if (this.VALID_PROTOCOLS.indexOf(uri.protocol) < 0)
     throw new Error(this.url + ' is not a valid WebSocket URL');
@@ -30,7 +29,7 @@ var Client = function(_url, options) {
   this._headers.set('Upgrade', 'websocket');
   this._headers.set('Connection', 'Upgrade');
   this._headers.set('Sec-WebSocket-Key', this._key);
-  this._headers.set('Sec-WebSocket-Version', Hybi.VERSION);
+  this._headers.set('Sec-WebSocket-Version', '13');
 
   if (this._protocols.length > 0)
     this._headers.set('Sec-WebSocket-Protocol', this._protocols.join(', '));
@@ -80,7 +79,7 @@ var instance = {
     var start   = 'GET ' + this._pathname + ' HTTP/1.1',
         headers = [start, this._headers.toString(), ''];
 
-    return Buffer.from(headers.join('\r\n'), 'utf8');
+    return new Buffer(headers.join('\r\n'), 'utf8');
   },
 
   _failHandshake: function(message) {

lib/websocket/driver/draft75.js

@@ -1,8 +1,7 @@
 'use strict';
 
-var Buffer = require('safe-buffer').Buffer,
-    Base   = require('./base'),
-    util   = require('util');
+var Base = require('./base'),
+    util = require('util');
 
 var Draft75 = function(request, url, options) {
   Base.apply(this, arguments);
@@ -62,7 +61,7 @@ var instance = {
         case 2:
           if (octet === 0xFF) {
             this._stage = 0;
-            message = Buffer.from(this._buffer).toString('utf8', 0, this._buffer.length);
+            message = new Buffer(this._buffer).toString('utf8', 0, this._buffer.length);
             this.emit('message', new Base.MessageEvent(message));
           }
           else {
@@ -86,12 +85,12 @@ var instance = {
 
     if (typeof buffer !== 'string') buffer = buffer.toString();
 
-    var length = Buffer.byteLength(buffer),
-        frame  = Buffer.allocUnsafe(length + 2);
+    var payload = new Buffer(buffer, 'utf8'),
+        frame   = new Buffer(payload.length + 2);
 
     frame[0] = 0x00;
-    frame.write(buffer, 1);
-    frame[frame.length - 1] = 0xFF;
+    frame[payload.length + 1] = 0xFF;
+    payload.copy(frame, 1);
 
     this._write(frame);
     return true;
@@ -101,7 +100,7 @@ var instance = {
     var start   = 'HTTP/1.1 101 Web Socket Protocol Handshake',
         headers = [start, this._headers.toString(), ''];
 
-    return Buffer.from(headers.join('\r\n'), 'utf8');
+    return new Buffer(headers.join('\r\n'), 'utf8');
   },
 
   _parseLeadingByte: function(octet) {

lib/websocket/driver/draft76.js

@@ -1,18 +1,17 @@
 'use strict';
 
-var Buffer  = require('safe-buffer').Buffer,
-    Base    = require('./base'),
+var Base    = require('./base'),
     Draft75 = require('./draft75'),
     crypto  = require('crypto'),
     util    = require('util');
 
 
 var numberFromKey = function(key) {
-  return parseInt((key.match(/[0-9]/g) || []).join(''), 10);
+  return parseInt(key.match(/[0-9]/g).join(''), 10);
 };
 
 var spacesInKey = function(key) {
-  return (key.match(/ /g) || []).length;
+  return key.match(/ /g).length;
 };
 
 
@@ -43,7 +42,7 @@ var instance = {
 
   close: function() {
     if (this.readyState === 3) return false;
-    if (this.readyState === 1) this._write(Buffer.from([0xFF, 0x00]));
+    this._write(new Buffer([0xFF, 0x00]));
     this.readyState = 3;
     this.emit('close', new Base.CloseEvent(null, null));
     return true;
@@ -51,41 +50,41 @@ var instance = {
 
   _handshakeResponse: function() {
     var headers = this._request.headers,
+
         key1    = headers['sec-websocket-key1'],
-        key2    = headers['sec-websocket-key2'];
-
-    if (!key1) throw new Error('Missing required header: Sec-WebSocket-Key1');
-    if (!key2) throw new Error('Missing required header: Sec-WebSocket-Key2');
-
-    var number1 = numberFromKey(key1),
+        number1 = numberFromKey(key1),
         spaces1 = spacesInKey(key1),
 
+        key2    = headers['sec-websocket-key2'],
         number2 = numberFromKey(key2),
         spaces2 = spacesInKey(key2);
 
-    if (number1 % spaces1 !== 0 || number2 % spaces2 !== 0)
-      throw new Error('Client sent invalid Sec-WebSocket-Key headers');
+    if (number1 % spaces1 !== 0 || number2 % spaces2 !== 0) {
+      this.emit('error', new Error('Client sent invalid Sec-WebSocket-Key headers'));
+      this.close();
+      return null;
+    }
 
     this._keyValues = [number1 / spaces1, number2 / spaces2];
 
     var start   = 'HTTP/1.1 101 WebSocket Protocol Handshake',
         headers = [start, this._headers.toString(), ''];
 
-    return Buffer.from(headers.join('\r\n'), 'binary');
+    return new Buffer(headers.join('\r\n'), 'binary');
   },
 
   _handshakeSignature: function() {
     if (this._body.length < this.BODY_SIZE) return null;
 
     var md5    = crypto.createHash('md5'),
-        buffer = Buffer.allocUnsafe(8 + this.BODY_SIZE);
+        buffer = new Buffer(8 + this.BODY_SIZE);
 
     buffer.writeUInt32BE(this._keyValues[0], 0);
     buffer.writeUInt32BE(this._keyValues[1], 4);
-    Buffer.from(this._body).copy(buffer, 8, 0, this.BODY_SIZE);
+    new Buffer(this._body).copy(buffer, 8, 0, this.BODY_SIZE);
 
     md5.update(buffer);
-    return Buffer.from(md5.digest('binary'), 'binary');
+    return new Buffer(md5.digest('binary'), 'binary');
   },
 
   _sendHandshakeBody: function() {

lib/websocket/driver/hybi.js

@@ -1,7 +1,6 @@
 'use strict';
 
-var Buffer     = require('safe-buffer').Buffer,
-    crypto     = require('crypto'),
+var crypto     = require('crypto'),
     util       = require('util'),
     Extensions = require('websocket-extensions'),
     Base       = require('./base'),
@@ -23,20 +22,25 @@ var Hybi = function(request, url, options) {
 
   if (!this._request) return;
 
-  var protos    = this._request.headers['sec-websocket-protocol'],
+  var secKey    = this._request.headers['sec-websocket-key'],
+      protos    = this._request.headers['sec-websocket-protocol'],
+      version   = this._request.headers['sec-websocket-version'],
       supported = this._protocols;
 
+  this._headers.set('Upgrade', 'websocket');
+  this._headers.set('Connection', 'Upgrade');
+  this._headers.set('Sec-WebSocket-Accept', Hybi.generateAccept(secKey));
+
   if (protos !== undefined) {
     if (typeof protos === 'string') protos = protos.split(/ *, */);
     this.protocol = protos.filter(function(p) { return supported.indexOf(p) >= 0 })[0];
+    if (this.protocol) this._headers.set('Sec-WebSocket-Protocol', this.protocol);
   }
 
-  this.version = 'hybi-' + Hybi.VERSION;
+  this.version = 'hybi-' + version;
 };
 util.inherits(Hybi, Base);
 
-Hybi.VERSION = '13';
-
 Hybi.mask = function(payload, mask, offset) {
   if (!mask || mask.length === 0) return payload;
   offset = offset || 0;
@@ -188,7 +192,7 @@ var instance = {
     if (this.readyState <= 0) return this._queue([buffer, type, code]);
     if (this.readyState > 2) return false;
 
-    if (buffer instanceof Array)    buffer = Buffer.from(buffer);
+    if (buffer instanceof Array)    buffer = new Buffer(buffer);
     if (typeof buffer === 'number') buffer = buffer.toString();
 
     var message = new Message(),
@@ -198,11 +202,11 @@ var instance = {
     message.rsv1   = message.rsv2 = message.rsv3 = false;
     message.opcode = this.OPCODES[type || (isText ? 'text' : 'binary')];
 
-    payload = isText ? Buffer.from(buffer, 'utf8') : buffer;
+    payload = isText ? new Buffer(buffer, 'utf8') : buffer;
 
     if (code) {
       copy = payload;
-      payload = Buffer.allocUnsafe(2 + copy.length);
+      payload = new Buffer(2 + copy.length);
       payload.writeUInt16BE(code, 0);
       copy.copy(payload, 2);
     }
@@ -240,7 +244,7 @@ var instance = {
     var length = frame.length,
         header = (length <= 125) ? 2 : (length <= 65535 ? 4 : 10),
         offset = header + (frame.masked ? 4 : 0),
-        buffer = Buffer.allocUnsafe(offset + length),
+        buffer = new Buffer(offset + length),
         masked = frame.masked ? this.MASK : 0;
 
     buffer[0] = (frame.final ? this.FIN : 0) |
@@ -271,28 +275,18 @@ var instance = {
   },
 
   _handshakeResponse: function() {
-    var secKey  = this._request.headers['sec-websocket-key'],
-        version = this._request.headers['sec-websocket-version'];
+    try {
+      var extensions = this._extensions.generateResponse(this._request.headers['sec-websocket-extensions']);
+    } catch (e) {
+      return this._fail('protocol_error', e.message);
+    }
 
-    if (version !== Hybi.VERSION)
-      throw new Error('Unsupported WebSocket version: ' + version);
-
-    if (typeof secKey !== 'string')
-      throw new Error('Missing handshake request header: Sec-WebSocket-Key');
-
-    this._headers.set('Upgrade', 'websocket');
-    this._headers.set('Connection', 'Upgrade');
-    this._headers.set('Sec-WebSocket-Accept', Hybi.generateAccept(secKey));
-
-    if (this.protocol) this._headers.set('Sec-WebSocket-Protocol', this.protocol);
-
-    var extensions = this._extensions.generateResponse(this._request.headers['sec-websocket-extensions']);
     if (extensions) this._headers.set('Sec-WebSocket-Extensions', extensions);
 
     var start   = 'HTTP/1.1 101 Switching Protocols',
         headers = [start, this._headers.toString(), ''];
 
-    return Buffer.from(headers.join('\r\n'), 'utf8');
+    return new Buffer(headers.join('\r\n'), 'utf8');
   },
 
   _shutdown: function(code, reason, error) {

lib/websocket/driver/hybi/message.js

@@ -1,19 +1,26 @@
 'use strict';
 
-var Buffer = require('safe-buffer').Buffer;
-
 var Message = function() {
   this.rsv1    = false;
   this.rsv2    = false;
   this.rsv3    = false;
-  this.opcode  = null;
+  this.opcode  = null
   this.length  = 0;
   this._chunks = [];
 };
 
 var instance = {
   read: function() {
-    return this.data = this.data || Buffer.concat(this._chunks, this.length);
+    if (this.data) return this.data;
+
+    this.data  = new Buffer(this.length);
+    var offset = 0;
+
+    for (var i = 0, n = this._chunks.length; i < n; i++) {
+      this._chunks[i].copy(this.data, offset);
+      offset += this._chunks[i].length;
+    }
+    return this.data;
   },
 
   pushFrame: function(frame) {

lib/websocket/driver/proxy.js

@@ -1,14 +1,13 @@
 'use strict';
 
-var Buffer     = require('safe-buffer').Buffer,
-    Stream     = require('stream').Stream,
+var Stream     = require('stream').Stream,
     url        = require('url'),
     util       = require('util'),
     Base       = require('./base'),
     Headers    = require('./headers'),
     HttpParser = require('../http_parser');
 
-var PORTS = { 'ws:': 80, 'wss:': 443 };
+var PORTS = {'ws:': 80, 'wss:': 443};
 
 var Proxy = function(client, origin, options) {
   this._client  = client;
@@ -26,7 +25,7 @@ var Proxy = function(client, origin, options) {
   this._headers.set('Connection', 'keep-alive');
   this._headers.set('Proxy-Connection', 'keep-alive');
 
-  var auth = this._url.auth && Buffer.from(this._url.auth, 'utf8').toString('base64');
+  var auth = this._url.auth && new Buffer(this._url.auth, 'utf8').toString('base64');
   if (auth) this._headers.set('Proxy-Authorization', 'Basic ' + auth);
 };
 util.inherits(Proxy, Stream);
@@ -48,7 +47,7 @@ var instance = {
 
     var headers = [start, this._headers.toString(), ''];
 
-    this.emit('data', Buffer.from(headers.join('\r\n'), 'utf8'));
+    this.emit('data', new Buffer(headers.join('\r\n'), 'utf8'));
     return true;
   },
 

lib/websocket/driver/server.js

@@ -71,6 +71,54 @@ var instance = {
 for (var key in instance)
   Server.prototype[key] = instance[key];
 
+Server.http = function(request, options) {
+  options = options || {};
+  if (options.requireMasking === undefined) options.requireMasking = true;
+
+  var klass = this.getDriverClass(request),
+      url   = this.determineUrl(request);
+
+  return klass && new klass(request, url, options);
+};
+
+Server.isWebSocket = function(request) {
+  var klass = this.getDriverClass(request);
+  return !!klass;
+};
+
+Server.getDriverClass = function(request) {
+  var headers = request.headers;
+
+  var connection = headers['connection'] || '',
+      key        = headers['sec-websocket-key'],
+      key1       = headers['sec-websocket-key1'],
+      key2       = headers['sec-websocket-key2'],
+      origin     = headers['origin'],
+      upgrade    = headers['upgrade'] || '',
+      version    = headers['sec-websocket-version'];
+
+  if (request.method !== 'GET' ||
+      connection.toLowerCase().split(/ *, */).indexOf('upgrade') < 0 ||
+      upgrade.toLowerCase() !== 'websocket')
+    return null;
+
+  if (typeof version === 'string' || typeof key === 'string')
+    return (version === '13' && key.length > 0) ? Hybi : null;
+
+  if (typeof origin !== 'string' || origin.length === 0)
+    return null;
+
+  if (typeof key1 === 'string' && typeof key2 === 'string')
+    return Draft76;
+
+  return Draft75;
+};
+
+Server.determineUrl = function(request) {
+  var scheme = this.isSecureRequest(request) ? 'wss:' : 'ws:';
+  return scheme + '//' + request.headers.host + request.url;
+};
+
 Server.isSecureRequest = function(request) {
   if (request.connection && request.connection.authorized !== undefined) return true;
   if (request.socket && request.socket.secure) return true;
@@ -85,28 +133,4 @@ Server.isSecureRequest = function(request) {
   return false;
 };
 
-Server.determineUrl = function(request) {
-  var scheme = this.isSecureRequest(request) ? 'wss:' : 'ws:';
-  return scheme + '//' + request.headers.host + request.url;
-};
-
-Server.http = function(request, options) {
-  options = options || {};
-  if (options.requireMasking === undefined) options.requireMasking = true;
-
-  var headers = request.headers,
-      version = headers['sec-websocket-version'],
-      key     = headers['sec-websocket-key'],
-      key1    = headers['sec-websocket-key1'],
-      key2    = headers['sec-websocket-key2'],
-      url     = this.determineUrl(request);
-
-  if (version || key)
-    return new Hybi(request, url, options);
-  else if (key1 || key2)
-    return new Draft76(request, url, options);
-  else
-    return new Draft75(request, url, options);
-};
-
 module.exports = Server;

lib/websocket/driver/stream_reader.js

@@ -1,7 +1,5 @@
 'use strict';
 
-var Buffer = require('safe-buffer').Buffer;
-
 var StreamReader = function() {
   this._queue     = [];
   this._queueSize = 0;
@@ -10,14 +8,14 @@ var StreamReader = function() {
 
 StreamReader.prototype.put = function(buffer) {
   if (!buffer || buffer.length === 0) return;
-  if (!Buffer.isBuffer(buffer)) buffer = Buffer.from(buffer);
+  if (!buffer.copy) buffer = new Buffer(buffer);
   this._queue.push(buffer);
   this._queueSize += buffer.length;
 };
 
 StreamReader.prototype.read = function(length) {
   if (length > this._queueSize) return null;
-  if (length === 0) return Buffer.alloc(0);
+  if (length === 0) return new Buffer(0);
 
   this._queueSize -= length;
 
@@ -46,7 +44,7 @@ StreamReader.prototype.read = function(length) {
     buffers.push(queue[0].slice(0, remain));
     queue[0] = queue[0].slice(remain);
   }
-  return Buffer.concat(buffers, length);
+  return this._concat(buffers, length);
 };
 
 StreamReader.prototype.eachByte = function(callback, context) {
@@ -66,4 +64,17 @@ StreamReader.prototype.eachByte = function(callback, context) {
   }
 };
 
+StreamReader.prototype._concat = function(buffers, length) {
+  if (Buffer.concat) return Buffer.concat(buffers, length);
+
+  var buffer = new Buffer(length),
+      offset = 0;
+
+  for (var i = 0, n = buffers.length; i < n; i++) {
+    buffers[i].copy(buffer, offset);
+    offset += buffers[i].length;
+  }
+  return buffer;
+};
+
 module.exports = StreamReader;

lib/websocket/http_parser.js

@@ -1,7 +1,8 @@
 'use strict';
 
-var NodeHTTPParser = require('http-parser-js').HTTPParser,
-    Buffer         = require('safe-buffer').Buffer;
+var NodeHTTPParser = require('http-parser-js').HTTPParser;
+
+var VERSION = process.version.match(/[0-9]+/g).map(function(n) { return parseInt(n, 10) });
 
 var TYPES = {
   request:  NodeHTTPParser.REQUEST  || 'request',
@@ -96,10 +97,6 @@ HttpParser.METHODS = {
   32: 'UNLINK'
 };
 
-var VERSION = (process.version || '')
-              .match(/[0-9]+/g)
-              .map(function(n) { return parseInt(n, 10) });
-
 if (VERSION[0] === 0 && VERSION[1] === 12) {
   HttpParser.METHODS[16] = 'REPORT';
   HttpParser.METHODS[17] = 'MKACTIVITY';
@@ -126,10 +123,12 @@ HttpParser.prototype.parse = function(chunk) {
     return;
   }
 
+  if (VERSION[0] === 0 && VERSION[1] < 6) consumed += 1;
+
   if (this._complete)
     this.body = (consumed < chunk.length)
               ? chunk.slice(consumed)
-              : Buffer.alloc(0);
+              : new Buffer(0);
 };
 
 module.exports = HttpParser;

package.json

@@ -1,35 +1,27 @@
-{
-          "name": "websocket-driver",
-          "description": "WebSocket protocol handler with pluggable I/O",
-          "homepage": "https://github.com/faye/websocket-driver-node",
-          "author": "James Coglan <jcoglan@gmail.com> (http://jcoglan.com/)",
-          "keywords": [
-                    "websocket"
-          ],
-          "license": "Apache-2.0",
-          "version": "0.7.3",
-          "engines": {
-                    "node": ">=0.8.0"
-          },
-          "files": [
-                    "lib"
-          ],
-          "main": "./lib/websocket/driver",
-          "dependencies": {
-                    "http-parser-js": ">=0.4.0 <0.4.11",
-                    "safe-buffer": ">=5.1.0",
-                    "websocket-extensions": ">=0.1.1"
-          },
-          "devDependencies": {
-                    "jstest": "*",
-                    "permessage-deflate": "*"
-          },
-          "scripts": {
-                    "test": "jstest spec/runner.js"
-          },
-          "repository": {
-                    "type": "git",
-                    "url": "git://github.com/faye/websocket-driver-node.git"
-          },
-          "bugs": "https://github.com/faye/websocket-driver-node/issues"
+{ "name"            : "websocket-driver"
+, "description"     : "WebSocket protocol handler with pluggable I/O"
+, "homepage"        : "https://github.com/faye/websocket-driver-node"
+, "author"          : "James Coglan <jcoglan@gmail.com> (http://jcoglan.com/)"
+, "keywords"        : ["websocket"]
+, "license"         : "MIT"
+
+, "version"         : "0.7.0"
+, "engines"         : { "node": ">=0.8.0" }
+, "files"           : ["lib"]
+, "main"            : "./lib/websocket/driver"
+
+, "dependencies"    : { "http-parser-js": ">=0.4.0"
+                      , "websocket-extensions": ">=0.1.1"
+                      }
+, "devDependencies" : { "jstest": "*"
+                      , "permessage-deflate": "*"
+                      }
+
+, "scripts"         : { "test": "jstest spec/runner.js" }
+
+, "repository"      : { "type"  : "git"
+                      , "url"   : "git://github.com/faye/websocket-driver-node.git"
+                      }
+
+, "bugs"            : "https://github.com/faye/websocket-driver-node/issues"
 }

spec/runner.js

@@ -1,10 +1,11 @@
-var Buffer = require('safe-buffer').Buffer,
-    test   = require('jstest').Test,
+var test   = require('jstest').Test,
     Stream = require('stream').Stream,
     util   = require('util')
 
 var BufferMatcher = function(data) {
-  this._data = Buffer.from(data)
+  this._data = (typeof data === 'string')
+             ? new Buffer(data, 'utf8')
+             : new Buffer(data)
 }
 BufferMatcher.prototype.equals = function(other) {
   if (this._data.length !== other.length) return false;

spec/websocket/driver/client_spec.js

@@ -1,10 +1,9 @@
 var Client = require("../../../lib/websocket/driver/client"),
-    Buffer = require('safe-buffer').Buffer,
     test   = require('jstest').Test
 
 test.describe("Client", function() { with(this) {
     define("options", function() {
-    return this._options = this._options || { protocols: this.protocols() }
+    return this._options = this._options || {protocols: this.protocols()}
   })
 
   define("protocols", function() {
@@ -191,21 +190,21 @@ test.describe("Client", function() { with(this) {
 
       it("returns true when the response is written", function() { with(this) {
         // this prevents downstream connections suddenly closing for no reason
-        assertEqual( true, proxy.write(Buffer.from("HTTP/1.1 200 OK\r\n\r\n")) )
+        assertEqual( true, proxy.write(new Buffer("HTTP/1.1 200 OK\r\n\r\n")) )
       }})
 
       it("emits a 'connect' event when the proxy connects", function() { with(this) {
         expect(proxy, "emit").given("connect", anything())
         expect(proxy, "emit").given("close")
         expect(proxy, "emit").given("end")
-        proxy.write(Buffer.from("HTTP/1.1 200 OK\r\n\r\n"))
+        proxy.write(new Buffer("HTTP/1.1 200 OK\r\n\r\n"))
       }})
 
       it("emits an 'error' event if the proxy does not connect", function() { with(this) {
-        expect(proxy, "emit").given("error", objectIncluding({ message: "Can't establish a connection to the server at ws://www.example.com/socket" }))
+        expect(proxy, "emit").given("error", objectIncluding({message: "Can't establish a connection to the server at ws://www.example.com/socket"}))
         expect(proxy, "emit").given("close")
         expect(proxy, "emit").given("end")
-        proxy.write(Buffer.from("HTTP/1.1 403 Forbidden\r\n\r\n"))
+        proxy.write(new Buffer("HTTP/1.1 403 Forbidden\r\n\r\n"))
       }})
     }})
   }})
@@ -214,7 +213,7 @@ test.describe("Client", function() { with(this) {
     before(function() { this.driver().start() })
 
     describe("with a valid response", function() { with(this) {
-      before(function() { this.driver().parse(Buffer.from(this.response())) })
+      before(function() { this.driver().parse(new Buffer(this.response())) })
 
       it("changes the state to open", function() { with(this) {
         assertEqual( true, open )
@@ -233,9 +232,9 @@ test.describe("Client", function() { with(this) {
 
     describe("with a valid response followed by a frame", function() { with(this) {
       before(function() { with(this) {
-        var resp = Buffer.alloc(response().length + 4)
-        Buffer.from(response()).copy(resp)
-        Buffer.from([0x81, 0x02, 72, 105]).copy(resp, resp.length - 4)
+        var resp = new Buffer(response().length + 4)
+        new Buffer(response()).copy(resp)
+        new Buffer([0x81, 0x02, 72, 105]).copy(resp, resp.length - 4)
         driver().parse(resp)
       }})
 
@@ -253,7 +252,7 @@ test.describe("Client", function() { with(this) {
     describe("with a bad status line", function() { with(this) {
       before(function() {
         var resp = this.response().replace(/101/g, "4")
-        this.driver().parse(Buffer.from(resp))
+        this.driver().parse(new Buffer(resp))
       })
 
       it("changes the state to closed", function() { with(this) {
@@ -267,7 +266,7 @@ test.describe("Client", function() { with(this) {
     describe("with a bad Upgrade header", function() { with(this) {
       before(function() {
         var resp = this.response().replace(/websocket/g, "wrong")
-        this.driver().parse(Buffer.from(resp))
+        this.driver().parse(new Buffer(resp))
       })
 
       it("changes the state to closed", function() { with(this) {
@@ -281,7 +280,7 @@ test.describe("Client", function() { with(this) {
     describe("with a bad Accept header", function() { with(this) {
       before(function() {
         var resp = this.response().replace(/QV3/g, "wrong")
-        this.driver().parse(Buffer.from(resp))
+        this.driver().parse(new Buffer(resp))
       })
 
       it("changes the state to closed", function() { with(this) {
@@ -297,7 +296,7 @@ test.describe("Client", function() { with(this) {
 
       before(function() {
         var resp = this.response().replace(/\r\n\r\n/, "\r\nSec-WebSocket-Protocol: xmpp\r\n\r\n")
-        this.driver().parse(Buffer.from(resp))
+        this.driver().parse(new Buffer(resp))
       })
 
       it("changs the state to open", function() { with(this) {
@@ -316,7 +315,7 @@ test.describe("Client", function() { with(this) {
 
       before(function() {
         var resp = this.response().replace(/\r\n\r\n/, "\r\nSec-WebSocket-Protocol: irc\r\n\r\n")
-        this.driver().parse(Buffer.from(resp))
+        this.driver().parse(new Buffer(resp))
       })
 
       it("changs the state to closed", function() { with(this) {

spec/websocket/driver/draft75_spec.js

@@ -4,7 +4,6 @@ var Draft75 = require("../../../lib/websocket/driver/draft75"),
 test.describe("Draft75", function() { with(this) {
   define("request", function() {
     return this._request = this._request || {
-      method: "GET",
       headers: {
         "connection": "Upgrade",
         "upgrade":    "WebSocket",
@@ -14,7 +13,7 @@ test.describe("Draft75", function() { with(this) {
   })
 
   define("options", function() {
-    return this._options = this._options || { masking: false }
+    return this._options = this._options || {masking: false}
   })
 
   define("driver", function() {

spec/websocket/driver/draft76_spec.js

@@ -1,9 +1,8 @@
 var Draft76 = require("../../../lib/websocket/driver/draft76"),
-    Buffer  = require('safe-buffer').Buffer,
     test    = require('jstest').Test
 
 test.describe("Draft76", function() { with(this) {
-  BODY = Buffer.from([0x91, 0x25, 0x3e, 0xd3, 0xa9, 0xe7, 0x6a, 0x88])
+  BODY = new Buffer([0x91, 0x25, 0x3e, 0xd3, 0xa9, 0xe7, 0x6a, 0x88])
 
   define("body", function() {
     return BODY
@@ -15,7 +14,6 @@ test.describe("Draft76", function() { with(this) {
 
   define("request", function() {
     return this._request = this._request || {
-      method: "GET",
       headers: {
         "connection":         "Upgrade",
         "upgrade":            "WebSocket",
@@ -27,7 +25,7 @@ test.describe("Draft76", function() { with(this) {
   })
 
   define("options", function() {
-    return this._options = this._options || { masking: false }
+    return this._options = this._options || {masking: false}
   })
 
   define("driver", function() {
@@ -90,13 +88,8 @@ test.describe("Draft76", function() { with(this) {
           request().headers["sec-websocket-key1"] = "2 L785 8o% s9Sy9@V. 4<1P5"
         }})
 
-        it("writes a handshake error response", function() { with(this) {
-          expect(driver().io, "emit").given("data", buffer(
-              "HTTP/1.1 400 Bad Request\r\n" +
-              "Content-Type: text/plain\r\n" +
-              "Content-Length: 45\r\n" +
-              "\r\n" +
-              "Client sent invalid Sec-WebSocket-Key headers"))
+        it("writes a closing frame to the socket", function() { with(this) {
+          expect(driver().io, "emit").given("data", buffer([0xff, 0x00]))
           driver().start()
         }})
 
@@ -150,7 +143,7 @@ test.describe("Draft76", function() { with(this) {
 
     describe("with no request body", function() { with(this) {
       define("body", function() {
-        return Buffer.alloc(0)
+        return new Buffer([])
       })
 
       it("writes the handshake response with no body", function() { with(this) {

spec/websocket/driver/hybi_spec.js

@@ -4,7 +4,6 @@ var Hybi = require("../../../lib/websocket/driver/hybi"),
 test.describe("Hybi", function() { with(this) {
   define("request", function() {
     return this._request = this._request || {
-      method: "GET",
       headers: {
         "connection":             "Upgrade",
         "upgrade":                "websocket",
@@ -17,7 +16,7 @@ test.describe("Hybi", function() { with(this) {
   })
 
   define("options", function() {
-    return this._options = this._options || { masking: false }
+    return this._options = this._options || {masking: false}
   })
 
   define("driver", function() {
@@ -85,13 +84,8 @@ test.describe("Hybi", function() { with(this) {
           request().headers["sec-websocket-extensions"] = "x-webkit- -frame"
         }})
 
-        it("writes a handshake error response", function() { with(this) {
-          expect(driver().io, "emit").given("data", buffer(
-              "HTTP/1.1 400 Bad Request\r\n" +
-              "Content-Type: text/plain\r\n" +
-              "Content-Length: 57\r\n" +
-              "\r\n" +
-              "Invalid Sec-WebSocket-Extensions header: x-webkit- -frame"))
+        it("does not write a handshake", function() { with(this) {
+          expect(driver().io, "emit").exactly(0)
           driver().start()
         }})
 
@@ -121,13 +115,13 @@ test.describe("Hybi", function() { with(this) {
           driver().setHeader("Authorization", "Bearer WAT")
         }})
 
-        it("writes the handshake with the custom headers", function() { with(this) {
+        it("writes the handshake with Sec-WebSocket-Protocol", function() { with(this) {
           expect(driver().io, "emit").given("data", buffer(
               "HTTP/1.1 101 Switching Protocols\r\n" +
-              "Authorization: Bearer WAT\r\n" +
               "Upgrade: websocket\r\n" +
               "Connection: Upgrade\r\n" +
               "Sec-WebSocket-Accept: JdiiuafpBKRqD7eol0y4vJDTsTs=\r\n" +
+              "Authorization: Bearer WAT\r\n" +
               "\r\n"))
           driver().start()
         }})