Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: websockets/ws
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 7.5.7
Choose a base ref
...
head repository: websockets/ws
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 7.5.10
Choose a head ref
  • 7 commits
  • 5 files changed
  • 1 contributor

Commits on May 26, 2022

  1. [fix] Abort the handshake if the Upgrade header is invalid 

    Close the connection if the Upgrade header field in the HTTP response
contains a value that is not an ASCII case-insensitive match for the
value "websocket".
    @lpinca
    lpinca committed May 26, 2022
    Configuration menu
    Copy the full SHA
    2758ed3 View commit details
    Browse the repository at this point in the history

  2. [security] Drop sensitive headers when following insecure redirects 

    Drop the `Authorization` and `Cookie` headers if the original request
for the opening handshake is sent over HTTPS and the client is
redirected to the same host over plain HTTP (wss: to ws:).

If an HTTPS server redirects to same host over plain HTTP, the problem
is on the server, but handling this condition is not hard and reduces
the risk of leaking credentials due to MITM issues.

Refs: 6946f5fe
    @lpinca
    lpinca committed May 26, 2022
    Configuration menu
    Copy the full SHA
    dc1781b View commit details
    Browse the repository at this point in the history

  3. [dist] 7.5.8

    @lpinca
    lpinca committed May 26, 2022
    Configuration menu
    Copy the full SHA
    4271f07 View commit details
    Browse the repository at this point in the history

Commits on Jul 15, 2022

  1. [security] Fix same host check for ws+unix: redirects 

    Drop the `Authorization` and `Cookie` headers if the original request
for the opening handshake is sent to an IPC server and the client is
redirected to a TCP server (ws+unix: to ws: or wss:), and vice versa
(ws: or wss: to ws+unix).

Also drop the `Authorization` and `Cookie` headers if the original
request for the opening handshake is sent to an IPC server and the
client is redirected to another IPC server.

Refs: 6946f5fe
    @lpinca
    lpinca committed Jul 15, 2022
    Configuration menu
    Copy the full SHA
    0435e6e View commit details
    Browse the repository at this point in the history

  2. [dist] 7.5.9

    @lpinca
    lpinca committed Jul 15, 2022
    Configuration menu
    Copy the full SHA
    8a78f87 View commit details
    Browse the repository at this point in the history

Commits on Jun 16, 2024

  1. [security] Fix crash when the Upgrade header cannot be read (#2231) 

    It is possible that the Upgrade header is correctly received and handled
(the `'upgrade'` event is emitted) without its value being returned to
the user. This can happen if the number of received headers exceed the
`server.maxHeadersCount` or `request.maxHeadersCount` threshold. In this
case `incomingMessage.headers.upgrade` may not be set.

Handle the case correctly and abort the handshake.

Fixes #2230
    @lpinca
    lpinca committed Jun 16, 2024
    1 Configuration menu
    Copy the full SHA
    22c2876 View commit details
    Browse the repository at this point in the history

  2. [dist] 7.5.10

    @lpinca
    lpinca committed Jun 16, 2024
    Configuration menu
    Copy the full SHA
    d962d70 View commit details
    Browse the repository at this point in the history
Loading