em-websocket 0.1.3 → 0.1.4

data/CHANGELOG.rdoc

@@ -0,0 +1,37 @@
+= Changelog
+
+== 0.1.4 / 2010-08-23
+
+- new features:
+  - Allow custom ssl certificate to be used by passing :tls_options
+  - Protect against errors caused by non limited frame lengths
+  - Use custom exceptions rather than RuntimeError
+- bugfixes:
+  - Handle invalid HTTP request with HandshakeError
+
+== 0.1.3 / 2010-07-18
+
+- new features:
+  - onerror callback
+- bugfixes:
+  - proper handling of zero spaces in key1 or key2(prevent ZeroDivisionError)
+  - convert received data to utf-8 to prevent ruby 1.9 errors
+  - fix handling of null bytes within a frame
+
+== 0.1.2 / 2010-06-16
+
+- new features:
+  - none
+- bugfixes:
+  - allow $ character inside header key
+
+== 0.1.1 / 2010-06-13
+
+- new features:
+  - wss/ssl support
+- bugfixes:
+  - can't & strings
+
+== 0.1.0 / 2010-06-12
+
+- initial release

data/README.rdoc

@@ -24,6 +24,24 @@ check out the blog post below:
     end
   }
 
+== Secure server
+
+It is possible to accept secure wss:// connections by passing :secure => true when opening the connection. Safari 5 does not currently support prompting on untrusted SSL certificates therefore using signed certificates is highly recommended. Pass a :tls_options hash containing keys as described in http://eventmachine.rubyforge.org/EventMachine/Connection.html#M000296
+
+For example,
+
+  EventMachine::WebSocket.start({
+    :host => "0.0.0.0",
+    :port => 443
+    :secure => true,
+    :tls_options => {
+      :private_key_file => "/private/key",
+      :cert_chain_file => "/ssl/certificate"
+    }
+  }) do |ws|
+    ...
+  end
+
 == Examples
 - examples/multicast.rb - broadcast all ruby tweets to all subscribers
 - examples/echo.rb - server <> client exchange via a websocket

data/VERSION

@@ -1 +1 @@
-0.1.3
+0.1.4

data/lib/em-websocket/connection.rb

@@ -7,6 +7,10 @@ module EventMachine
 
       attr_reader :state, :request
 
+      # Set the max frame lenth to very high value (10MB) until there is a
+      # limit specified in the spec to protect against malicious attacks
+      MAXIMUM_FRAME_LENGTH = 10 * 1024 * 1024
+
       # define WebSocket callbacks
       def onopen(&blk);     @onopen = blk;    end
       def onclose(&blk);    @onclose = blk;   end
@@ -17,6 +21,7 @@ module EventMachine
         @options = options
         @debug = options[:debug] || false
         @secure = options[:secure] || false
+        @tls_options = options[:tls_options] || {}
         @state = :handshake
         @request = {}
         @data = ''
@@ -25,7 +30,7 @@ module EventMachine
       end
 
       def post_init
-        start_tls if @secure
+        start_tls(@tls_options) if @secure
       end
 
       def receive_data(data)
@@ -48,7 +53,7 @@ module EventMachine
             handshake
           when :connected
             process_message
-          else raise RuntimeError, "invalid state: #{@state}"
+          else raise WebSocketError, "invalid state: #{@state}"
         end
       end
 
@@ -118,6 +123,12 @@ module EventMachine
               break unless (b & 0x80) == 0x80
             end
 
+            # Addition to the spec to protect against malicious requests
+            if length > MAXIMUM_FRAME_LENGTH
+              close_with_error(DataError.new("Frame length too long (#{length} bytes)"))
+              return false
+            end
+
             if @data[pointer+length-1] == nil
               debug [:buffer_incomplete, @data.inspect]
               # Incomplete data - leave @data to accumulate
@@ -170,6 +181,11 @@ module EventMachine
         ary.collect{ |s| s.force_encoding('UTF-8') if s.respond_to?(:force_encoding) }
         send_data(ary.join)
       end
+
+      def close_with_error(message)
+        @onerror.call(message) if @onerror
+        close_connection_after_writing
+      end
     end
   end
 end

data/lib/em-websocket/handler.rb

@@ -1,7 +1,5 @@
 module EventMachine
   module WebSocket
-    class HandshakeError < RuntimeError; end
-
     class Handler
       include Debugger
 

data/lib/em-websocket/handler76.rb

@@ -7,7 +7,7 @@ module EventMachine
       TERMINATE_STRING = "\xff\x00"
 
       def handshake
-        challenge_response = solve_challange(
+        challenge_response = solve_challenge(
           @request['Sec-WebSocket-Key1'],
           @request['Sec-WebSocket-Key2'],
           @request['Third-Key']
@@ -36,7 +36,7 @@ module EventMachine
 
       private
 
-      def solve_challange(first, second, third)
+      def solve_challenge(first, second, third)
         # Refer to 5.2 4-9 of the draft 76
         sum = [(extract_nums(first) / count_spaces(first))].pack("N*") +
           [(extract_nums(second) / count_spaces(second))].pack("N*") +

data/lib/em-websocket/handler_factory.rb

@@ -12,6 +12,7 @@ module EventMachine
 
         # extract request path
         first_line = lines.shift.match(PATH)
+        raise HandshakeError, "Invalid HTTP header" unless first_line
         request['Method'] = first_line[1].strip
         request['Path'] = first_line[2].strip
 
@@ -44,7 +45,7 @@ module EventMachine
         when 76
           Handler76.new(request, response, debug)
         else
-          raise "Must not happen"
+          raise WebSocketError, "Must not happen"
         end
       end
     end

data/lib/em-websocket/websocket.rb

@@ -1,5 +1,8 @@
 module EventMachine
   module WebSocket
+    class WebSocketError < RuntimeError; end
+    class HandshakeError < WebSocketError; end
+    class DataError < WebSocketError; end
 
     def self.start(options, &blk)
       EM.epoll

data/spec/integration/integration_spec.rb

@@ -125,4 +125,43 @@ describe "WebSocket server draft76" do
       end
     end
   end
+
+  it "should handle unreasonable frame lengths by calling onerror callback" do
+    EM.run do
+      EventMachine::WebSocket.start(:host => "0.0.0.0", :port => 12345) { |server|
+        server.onerror { |error|
+          error.should be_an_instance_of EM::WebSocket::DataError
+          error.message.should == "Frame length too long (1180591620717411303296 bytes)"
+          EM.stop
+        }
+      }
+
+      # Create a fake client which sends draft 76 handshake
+      client = EM.connect('0.0.0.0', 12345, FakeWebSocketClient)
+      client.send_data(format_request(@request))
+
+      # This particular frame indicates a message length of
+      # 1180591620717411303296 bytes. Such a message would previously cause
+      # a "bignum too big to convert into `long'" error.
+      # However it is clearly unreasonable and should be rejected.
+      client.onopen = lambda {
+        client.send_data("\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00")
+      }
+    end
+  end
+  
+  it "should handle invalid http requests by raising HandshakeError passed to onerror callback" do
+    EM.run {
+      EventMachine::WebSocket.start(:host => "0.0.0.0", :port => 12345) { |server|
+        server.onerror { |error|
+          error.should be_an_instance_of EM::WebSocket::HandshakeError
+          error.message.should == "Invalid HTTP header"
+          EM.stop
+        }
+      }
+      
+      client = EM.connect('0.0.0.0', 12345, FakeWebSocketClient)
+      client.send_data("This is not a HTTP header")
+    }
+  end
 end

metadata

@@ -5,8 +5,8 @@ version: !ruby/object:Gem::Version
   segments: 
   - 0
   - 1
-  - 3
-  version: 0.1.3
+  - 4
+  version: 0.1.4
 platform: ruby
 authors: 
 - Ilya Grigorik
@@ -14,7 +14,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-07-18 00:00:00 -04:00
+date: 2010-08-23 00:00:00 -04:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -69,6 +69,7 @@ extra_rdoc_files:
 - README.rdoc
 files: 
 - .gitignore
+- CHANGELOG.rdoc
 - README.rdoc
 - Rakefile
 - VERSION