Skip to content

Commit

Permalink
fix a DoS against websocket clients
Browse files Browse the repository at this point in the history 
I assumed gorilla validated UTF8 for incoming text messages. In fact, the
documentation states:

>It is the application's responsibility to ensure that text messages
>are valid UTF-8 encoded text.

and this applies to both incoming and outgoing messages. Consequently,
even when enforce-utf8 is enabled, it was possible to send invalid UTF8
to Ergo inside a websocket text frame. This data would be incorrectly
considered valid UTF8, and could be relayed to other clients, including
to websocket clients inside a text frame. The resulting frame would violate
the websocket protocol, causing web clients to be disconnected.
  • Loading branch information
@slingamn
slingamn committed Jan 22, 2023
1 parent 1e1acda commit 9589d01
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions irc/ircconn.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -128,9 +128,9 @@ func (wc IRCWSConn) WriteLines(buffers [][]byte) (err error) {
}

func (wc IRCWSConn) ReadLine() (line []byte, err error) {
messageType, line, err := wc.conn.ReadMessage()
_, line, err = wc.conn.ReadMessage()
if err == nil {
if messageType == websocket.BinaryMessage && !utf8.Valid(line) {
if !utf8.Valid(line) {
return line, errInvalidUtf8
}
return line, nil
Expand Down

0 comments on commit 9589d01

Please sign in to comment.