https://bz.apache.org/bugzilla/show_bug.cgi?id=66548
Bug ID: 66548
Summary: Tomcat does not validate value of Sec-Websocket-Key
header
Product: Tomcat 9
Version: 9.0.73
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: WebSocket
Assignee: dev@tomcat.apache.org
Reporter: dan.r...@workday.com
Target Milestone: -----
In the websocket RFC (https://www.rfc-editor.org/rfc/rfc6455#section-4.1) we
read:
The request MUST include a header field with the name
|Sec-WebSocket-Key|. The value of this header field MUST be a
nonce consisting of a randomly selected 16-byte value that has
been base64-encoded (see Section 4 of [RFC4648]). The nonce
MUST be selected randomly for each connection.
Tomcat appears to accept any value for Sec-WebSocket-Key - even if it's not a
base64 string, and even if it's not the correct length.
I don't think this causes any functional or security issues, but since the
WebSocket spec is worded pretty strongly ("MUST"), I think it would make sense
for Tomcat to throw an exception if the Sec-WebSocket-Key header does not meet
this requirement.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
