Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-121462

Websocket support is easy to misuse

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: P2: Important P2: Important
    • 6.8.0 FF
    • 6.6.1
    • Qt Http Server
    • None
    • 13
    • 3bd2834b5 (dev)
    • Foundation Sprint 104, Foundation Sprint 105, Foundation Sprint 106, Foundation Sprint 107, Foundation Sprint 108

      The websocket support in it's current implementation is very easy to misuse.

      The current implementation of this API creates websocket connections if user sends a request with header Upgrade set to websocket (case-insensitive) and if there is a handler. The handler is expected to write nothing to the socket. It should accept a QHttpServerResponder for that and not use any write methods there. This is non-obvious from API. Also, there is no way for the server to ensure that the handler is not writing anything to the stream. Websocket upgrade will be done on any route that has a handler. There is no way for a handler to stop a websocket upgrade, for example in case of authentication failure.

      In my opinion, websocket handling code should be decoupled from routing code. Whatever handlers are used for websocket paths should be able to deny upgrades. Alternatively, websocket route handler may return some special type.

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

            oyheskes Øystein Heskestad
            ievgenii.meshcheriakov Ievgenii Meshcheriakov
            Vladimir Minenko Vladimir Minenko
            Alex Blasche Alex Blasche
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved:

                There are no open Gerrit changes