From db777310b59fc2c0ecbdfbe852c2a8c18fa7442a Mon Sep 17 00:00:00 2001 From: Joakim Erdfelt Date: Mon, 9 Dec 2013 11:37:14 -0700 Subject: [PATCH] WebSocket / RFC-6455: Section 5.1 frame masking validation --- .../jetty/websocket/common/Parser.java | 21 ++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/jetty-websocket/websocket-common/src/main/java/org/eclipse/jetty/websocket/common/Parser.java b/jetty-websocket/websocket-common/src/main/java/org/eclipse/jetty/websocket/common/Parser.java index a53dffb0d6a..a864b6061c2 100644 --- a/jetty-websocket/websocket-common/src/main/java/org/eclipse/jetty/websocket/common/Parser.java +++ b/jetty-websocket/websocket-common/src/main/java/org/eclipse/jetty/websocket/common/Parser.java @@ -191,11 +191,26 @@ public class Parser if (policy.getBehavior() == WebSocketBehavior.SERVER) { - // Parsing on server? - // Then you MUST make sure all incoming frames are masked! + /* Parsing on server. + * + * Then you MUST make sure all incoming frames are masked! + * + * Technically, this test is in violation of RFC-6455, Section 5.1 + * http://tools.ietf.org/html/rfc6455#section-5.1 + * + * But we can't trust the client at this point, so Jetty opts to close + * the connection as a Protocol error. + */ if (f.isMasked() == false) { - throw new ProtocolException("Client frames MUST be masked (RFC-6455)"); + throw new ProtocolException("Client MUST mask all frames (RFC-6455: Section 5.1)"); + } + } else if(policy.getBehavior() == WebSocketBehavior.CLIENT) + { + // Required by RFC-6455 / Section 5.1 + if (f.isMasked() == true) + { + throw new ProtocolException("Server MUST NOT mask any frames (RFC-6455: Section 5.1)"); } }