2011-01-09  Joe Mason  <jmason@rim.com>

        Reviewed by NOBODY (OOPS!).

        WebSockets: unbounded buffer growth when server sends bad data

        https://bugs.webkit.org/show_bug.cgi?id=51253

        Fail a websocket handshake after 1024 bytes without a newline, or if it

        contains a null byte before the first newline.

        Tests: http/tests/websocket/tests/handshake-fail-by-maxlength.html

               http/tests/websocket/tests/handshake-fail-by-prepended-null.html

        * websockets/WebSocketHandshake.cpp:

        (WebCore::WebSocketHandshake::readStatusLine):

 * Copyright (C) Research In Motion Limited 2011. All rights reserved.

    // Arbitrary size limit to prevent the server from sending an unbounded

    // amount of data with no newlines and forcing us to buffer it all.

    static const size_t maxLength = 1024;

        } else if (*p == '\0') {

            // The caller will search for the ending newline with strnstr,

            // which does not scan past nulls.  So a null in the stream will

            // cause it to loop forever, reading more data and then repeating

            // the search only on the data before the null, unless we abort

            // immediately.

            m_context->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, "Status line contains embedded null", 0, clientOrigin());

            return p + 1 - header;

2011-01-09  Joe Mason  <jmason@rim.com>

        Reviewed by NOBODY (OOPS!).

        WebSockets: unbounded buffer growth when server sends bad data

        https://bugs.webkit.org/show_bug.cgi?id=51253

        Tests that a websocket handshake should fail after 1024 bytes without a

        newline, or if it contains a null byte before the first newline.

        * http/tests/websocket/tests/handshake-fail-by-maxlength-expected.txt: Added.

        * http/tests/websocket/tests/handshake-fail-by-maxlength.html: Added.

        * http/tests/websocket/tests/handshake-fail-by-maxlength_wsh.py: Added.

        * http/tests/websocket/tests/handshake-fail-by-prepended-null-expected.txt: Added.

        * http/tests/websocket/tests/handshake-fail-by-prepended-null.html: Added.

        * http/tests/websocket/tests/handshake-fail-by-prepended-null_wsh.py: Added.

        * http/tests/websocket/tests/script-tests/handshake-fail-by-maxlength.js: Added.

        (endTest):

        (ws.onopen):

        (ws.onmessage):

        (ws.onclose):

        (timeoutCallback):

        * http/tests/websocket/tests/script-tests/handshake-fail-by-prepended-null.js: Added.

        (endTest):

        (ws.onopen):

        (ws.onmessage):

        (ws.onclose):

        (timeoutCallback):

CONSOLE MESSAGE: line 0: Status line is too long: ................................................................................................................................…

Connection should fail immediately, rather than succeeding or staying in limbo until timeout, if handshake is longer than 1024 bytes.

On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".

PASS timedOut is false

PASS connected is false

PASS origin is undefined.

PASS successfullyParsed is true

TEST COMPLETE

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">

<html>

<head>

<link rel="stylesheet" href="../../../js-test-resources/js-test-style.css">

<script src="../../../js-test-resources/js-test-pre.js"></script>

<script src="../../../js-test-resources/js-test-post-function.js"></script>

</head>

<body>

<div id="description"></div>

<div id="console"></div>

<script src="script-tests/handshake-fail-by-maxlength.js"></script>

</body>

</html>

# Copyright (C) Research In Motion Limited 2011. All rights reserved.

#

# Redistribution and use in source and binary forms, with or without

# modification, are permitted provided that the following conditions are

# met:

#

#     * Redistributions of source code must retain the above copyright

# notice, this list of conditions and the following disclaimer.

#     * Redistributions in binary form must reproduce the above

# copyright notice, this list of conditions and the following disclaimer

# in the documentation and/or other materials provided with the

# distribution.

#     * Neither the name of Google Inc. nor the names of its

# contributors may be used to endorse or promote products derived from

# this software without specific prior written permission.

#

# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS

# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT

# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR

# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT

# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT

# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,

# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY

# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE

# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

import time

def web_socket_do_extra_handshake(request):

    # This will cause the handshake to fail because it pushes the length of the

    # status line of 1024 characters

    msg = ""

    for i in range(0, 1024):

        msg += "."

    msg += 'HTTP/1.1 101 WebSocket Protocol Handshake\r\n'

    msg += 'Upgrade: WebSocket\r\n'

    msg += 'Connection: Upgrade\r\n'

    msg += 'Sec-WebSocket-Location: ' + request.ws_location + '\r\n'

    msg += 'Sec-WebSocket-Origin: ' + request.ws_origin + '\r\n'

    msg += '\r\n'

    msg += request.ws_challenge_md5

    request.connection.write(msg)

    # continue writing data until the client disconnects

    while True:

        time.sleep(1)

        request.connection.write('keepalive\n')

def web_socket_transfer_data(request):

    pass

CONSOLE MESSAGE: line 0: Status line contains embedded null

Connection should fail immediately, rather than succeeding or staying in limbo until timeout, if a null byte is received before the handshake.

On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".

PASS timedOut is false

PASS connected is false

PASS origin is undefined.

PASS successfullyParsed is true

TEST COMPLETE

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">

<html>

<head>

<link rel="stylesheet" href="../../../js-test-resources/js-test-style.css">

<script src="../../../js-test-resources/js-test-pre.js"></script>

<script src="../../../js-test-resources/js-test-post-function.js"></script>

</head>

<body>

<div id="description"></div>

<div id="console"></div>

<script src="script-tests/handshake-fail-by-prepended-null.js"></script>

</body>

</html>

# Copyright (C) Research In Motion Limited 2011. All rights reserved.

#

# Redistribution and use in source and binary forms, with or without

# modification, are permitted provided that the following conditions are

# met:

#

#     * Redistributions of source code must retain the above copyright

# notice, this list of conditions and the following disclaimer.

#     * Redistributions in binary form must reproduce the above

# copyright notice, this list of conditions and the following disclaimer

# in the documentation and/or other materials provided with the

# distribution.

#     * Neither the name of Google Inc. nor the names of its

# contributors may be used to endorse or promote products derived from

# this software without specific prior written permission.

#

# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS

# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT

# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR

# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT

# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT

# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,

# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY

# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE

# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

import time

def web_socket_do_extra_handshake(request):

    # This simulates a broken server that sends a WebSocket frame before the

    # handshake, and more frames afterwards.  It is important that if this

    # happens the client does not buffer all the frames as the server continues

    # to send more data - it should abort after reading a reasonable number of

    # bytes (set arbitrarily to 1024).

    frame = '\0Frame-contains-thirty-two-bytes'

    msg = frame

    msg += 'HTTP/1.1 101 WebSocket Protocol Handshake\r\n'

    msg += 'Upgrade: WebSocket\r\n'

    msg += 'Connection: Upgrade\r\n'

    msg += 'Sec-WebSocket-Location: ' + request.ws_location + '\r\n'

    msg += 'Sec-WebSocket-Origin: ' + request.ws_origin + '\r\n'

    msg += '\r\n'

    msg += request.ws_challenge_md5

    request.connection.write(msg)

    # continue writing data until the client disconnects

    while True:

        time.sleep(1)

        numFrames = 1024 / len(frame) # write over 1024 bytes including the above handshake

        for i in range(0, numFrames):

            request.connection.write(frame)

def web_socket_transfer_data(request):

    pass

description('Connection should fail immediately, rather than succeeding or staying in limbo until timeout, if handshake is longer than 1024 bytes.');

if (window.layoutTestController)

    layoutTestController.waitUntilDone()

var timedOut = false;

var connected = false;

var origin;

function endTest() {

    shouldBeFalse('timedOut');

    shouldBeFalse('connected');

    shouldBeUndefined('origin');

    clearTimeout(timeoutID);

    isSuccessfullyParsed();

    if (window.layoutTestController)

        layoutTestController.notifyDone();

}

var url = 'ws://localhost:8880/websocket/tests/handshake-fail-by-maxlength';

var ws = new WebSocket(url);

ws.onopen = function()

{

    debug('Connected');

    connected = true;

}

ws.onmessage = function(messageEvent)

{

    origin = messageEvent.data;

    debug('origin = ' + origin);

    ws.close();

}

ws.onclose = function()

{

    endTest();

}

function timeoutCallback()

{

    debug('Timed out (state = ' + ws.readyState + ')');

    timedOut = true;

    endTest();

}

var timeoutID = setTimeout(timeoutCallback, 3000);

var successfullyParsed = true;

description('Connection should fail immediately, rather than succeeding or staying in limbo until timeout, if a null byte is received before the handshake.');

if (window.layoutTestController)

    layoutTestController.waitUntilDone()

var timedOut = false;

var connected = false;

var origin;

function endTest() {

    shouldBeFalse('timedOut');

    shouldBeFalse('connected');

    shouldBeUndefined('origin');

    clearTimeout(timeoutID);

    isSuccessfullyParsed();

    if (window.layoutTestController)

        layoutTestController.notifyDone();

}

var url = 'ws://localhost:8880/websocket/tests/handshake-fail-by-prepended-null';

var ws = new WebSocket(url);

ws.onopen = function()

{

    debug('Connected');

    connected = true;

}

ws.onmessage = function(messageEvent)

{

    origin = messageEvent.data;

    debug('origin = ' + origin);

    ws.close();

}

ws.onclose = function()

{

    endTest();

}

function timeoutCallback()

{

    debug('Timed out (state = ' + ws.readyState + ')');

    timedOut = true;

    endTest();

}

var timeoutID = setTimeout(timeoutCallback, 3000);

var successfullyParsed = true;