Comments (4)
i'm changed
the function:
try {
var k1 = this.request.headers['sec-websocket-key1'],
k2 = this.request.headers['sec-websocket-key2'];
if (k1 && k2) {
var md5 = crypto.createHash('md5');
[k1, k2].forEach(function(k) {
var n = parseInt(k.replace(/[^\d]/g, '')),
spaces = k.replace(/[^ ]/g, '').length;
if (spaces === 0 || n % spaces !== 0) {
this.listener.options.log('Invalid WebSocket key: "' + k + '". Dropping connection');
this.connection.destroy();
return false;
}
n /= spaces;
md5.update(String.fromCharCode(
n >> 24 & 0xFF,
n >> 16 & 0xFF,
n >> 8 & 0xFF,
n & 0xFF));
});
md5.update(this.upgradeHead.toString('binary'));
try {
this.connection.write(headers.concat('', '').join('\r\n') + md5.digest('binary'), 'binary');
} catch(e){
this._onClose();
}
}
return true;
} catch (e) {
this._onClose();
}
to prevent this
from socket.io.
This also apply for accessing websocket url directly:
/Users/kmike/dev/node-try/Socket.IO-node/lib/socket.io/transports/websocket.js:25
this.connection.setTimeout(0);
^
TypeError: Object #<a ServerResponse> has no method 'setTimeout'
at [object Object]._onConnect (/Users/kmike/dev/node-try/Socket.IO-node/lib/socket.io/transports/websocket.js:25:18)
at [object Object].<anonymous> (/Users/kmike/dev/node-try/Socket.IO-node/lib/socket.io/client.js:17:7)
at new <anonymous> (/Users/kmike/dev/node-try/Socket.IO-node/lib/socket.io/transports/websocket.js:9:9)
at [object Object]._onConnection (/Users/kmike/dev/node-try/Socket.IO-node/lib/socket.io/listener.js:123:73)
at [object Object].check (/Users/kmike/dev/node-try/Socket.IO-node/lib/socket.io/listener.js:83:9)
at Server.<anonymous> (/Users/kmike/dev/node-try/Socket.IO-node/lib/socket.io/listener.js:39:12)
at Server.emit (events:33:26)
at HTTPParser.onIncoming (http:825:10)
at HTTPParser.onHeadersComplete (http:87:31)
at Stream.ondata (http:757:22)
I think it's quite a serious error because the entire server can be shut down just by visiting public-available url.
from socket.io.
I can replicate crashing node.js by accessing the websocket url.
just type in url
http://localhost/socket.io/websocket
in web browser to crash node server.
I think that's pretty serious.
from socket.io.
30 Aug 16:53:22 - WebSocket connection invalid
is what you get now
from socket.io.
Related Issues (20)
- How to leave all rooms the socket is currently in and join only one room? HOT 2
- jwt authentication needed HOT 5
- Calling io.emit("event") with events that has no arguments result in TypeScript errors HOT 4
- TRANSPORT_HANDSHAKE_ERROR after upgrading to socket.io v4 HOT 6
- Can't emit namespace events without arguments in TS HOT 3
- Sending one message more than one time after network disconnections and reconnects. HOT 2
- Issue with Socket.io Client using Next.js - Memory leak and JavaScript heap out of memory HOT 1
- Including Protocol Parameter in Socket Connection Creation in iOS HOT 1
- Type error when using socket.timeout.emitWithAck HOT 3
- If the server's upstream bandwidth is used up, it will generate a large number of pingTimeoutTimers, which in turn will cause memory leaks HOT 1
- Not able to pass prop socket HOT 2
- 🐛 Error in serving socket.io.min.js HOT 1
- Uncaught ReferenceError: Buffer is not defined HOT 2
- Page Refresh issue with socket HOT 2
- maxHttpBufferSize option don't work with bun HOT 1
- emitWithAck does not throw on disconnect HOT 3
- Make `emitWithAck` for a room say which socket(s) failed to ack HOT 1
- Connection recovery doesn't work HOT 2
- Allow to bind socket.io to bun built in server. HOT 2
- authToken = null in springboot despite set by the client HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from socket.io.