Skip to content

Reject invalid Sec-WebSocket-Key values#119

Open
94xhn wants to merge 1 commit into
Theldus:masterfrom
94xhn:fix-handshake-key-length
Open

Reject invalid Sec-WebSocket-Key values#119
94xhn wants to merge 1 commit into
Theldus:masterfrom
94xhn:fix-handshake-key-length

Conversation

@94xhn

@94xhn 94xhn commented Jul 15, 2026

Copy link
Copy Markdown

Description

RFC 6455 requires Sec-WebSocket-Key to be a Base64 value that decodes to
exactly 16 bytes. Before this fix, malformed keys could still produce a
101 Switching Protocols response.

This revision rejects a key unless it has the required 24-character padded
form and the existing Base64 decoder produces exactly 16 bytes. The previous
variable-length SHA-1 change is removed, so the accepted key and GUID are
hashed using the existing WS_KEYMS_LEN length.

Verification

  • Reproduced the old behavior with short, invalid-alphabet, and 18-byte keys.
  • Verified the RFC example still produces
    s3pPLMBiTxaQ9kYGzzhZRbK+xOo=.
  • Verified short, overlong, invalid-alphabet, bad-padding, embedded-padding,
    and 18-byte keys are rejected by the complete handshake-response path.
  • Built the library and all examples with CMake/Ninja on MinGW GCC 8.1.0.
  • Compiled the focused regression harness with -Werror -pedantic.

Checklist

  • I've read the notice in the PR template before submitting it
  • My PR is:
    • Trivial and:
      • I've created an issue (please mention the issue number)
      • I haven't created an issue (thats ok...)
    • Non-trivial:
      • Issue number: N/A

Reject keys that are not the 24-character padded Base64 form or do
not decode to exactly 16 bytes before generating the accept response.

Tested: CMake/Ninja build; handshake response regression harness
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant