Malformed header

Question

Malformed header

rokha opened this issue 8 years ago · comments

Hi,

While working on Hoa\WebSocket I ran into a weird issue where a particular browser instance of chrome was breaking the socket server for all the connected clients. Upon investigation, we realized that the browser was sending malformed (read incomplete) headers. Although couldn't figure out why but realized that it should not be the reason why socket server should break for everyone.

Eventually, we found the reason to be in _parse function of Hoa\Http at this line.

The header I was receiving had the last line clipped before : which caused index not available. An example header is:

GET / HTTP/1.1
Host: pr.newsbytesapp.com:8889
Connection: Upgrade
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket
Origin: http://xx.yyyy.com
Sec-WebSocket-Version: 13
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Cookie: __unam=a56ccef-15471a9429e-452f979a-2504; AMP_ECID_GOOGLE=amp-ABTfroEKKHPPukDuQQc4mzfNOnfBTUtE4njuK5GdQq74kjG_SM0xuErSuvkLS27b; laravel_acl_sentry=eyJpdiI6ImpjaDBoZU9HbmY3RXVPemMzSHJMTVE9PSIsInZhbHVlIjoiSDVlclRjaW1ydlNLYXhsSTRZd0tkQnpEdURySVB2VzQ1Zlgrc1g3ZzdtdnZ6aW1kZmdiblRURDlpR28zYnVhN2pRSUZhbEZybWp0Z2VvMVFuYW9oVHl5RzZodVJOZXJNTmhQaGJwamdIQUJDWFBLRUpadTk0Vkx3M1JtSGlzSUQiLCJtYWMiOiI5MzQxZDQ4Yjg0MGIyNDYyYjU2N2Y1ZDFjOGMyZmE3MTA2ZDA3MzE1NTg3N2EyZWQzYmZhZDA5YThlNzllNzY5In0%3D; _gat=1; laravel_session=eyJpdiI6IkdzcVNcL2g0b0dxZFkyck8wT1wvN09HUT09IiwidmFsdWUiOiIzODYxUk5ZcEZVXC96b1pITnc5TlhwWnJMamVrankrMVhJaVpWZ2NoTXVQSnV5WHJ0MW4yalRnSVpmQlJmQkRQdHhBMGgyVFl5dnVHOW1FK0JZQld1aGc9PSIsIm1hYyI6IjMxNWJmYmU3ZWY2NzNlYjk0NTMwZWVkMjVhYWU1Y2FkMGZlNjU4Y2FkYTYxN2RkYmQ0MDM3NDRiYTFkNTg0NjIifQ%3D%3D; chch-SI=61CB5ABFCAE3FBC75C27A7B22B4EF5D7; chch-PSI=61CB5ABFCAE3FBC75C27A7B22B4EF5D7; _ga=GA1.2.1418394292.1462195799
Sec-WebSocket-Key: TjO2I+f5Q2SB4bxjQ9hDSA==
Sec-WebSocket-Extens

as you can see Sec-WebSocket-Extensions was missing. I think it is an important issue as one cannot control client behavior.

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

Ivan Enderlin · Answer 1 · Mon Jan 09 2017 04:24:51 GMT+0800 (China Standard Time)

Related to hoaproject/Websocket#73 and hoaproject/Websocket#72.

ping @Pierozi

Pierre Tomasina · Answer 2 · Mon Jan 09 2017 16:11:39 GMT+0800 (China Standard Time)

Hello @rokha, what's your request, the Sec-WebSocket-Extensions has no value ?

Ivan Enderlin · Answer 3 · Mon Jan 09 2017 16:46:28 GMT+0800 (China Standard Time)

@Pierozi I guess the parsing stops at a specific length, and since the Cookie is very long, the buffer is not big enough to parse the whole request.

RoKha · Answer 4 · Mon Jan 09 2017 16:48:33 GMT+0800 (China Standard Time)

It's not really no value, it may also be that some header is partially available. As in my example, it never reached the :

Also, I increased the buffer size but that was not helping.