Validate Sec-WebSocket-Key header in managed HttpListener

stephentoub · stephentoub · commit 98c66a5449c0 · 2017-05-28T22:51:35.000-04:00
diff --git a/src/System.Net.HttpListener/src/System/Net/WebSockets/HttpWebSocket.cs b/src/System.Net.HttpListener/src/System/Net/WebSockets/HttpWebSocket.cs
@@ -167,7 +167,21 @@ private static void ValidateWebSocketHeaders(HttpListenerContext context)
                     SupportedVersion));
             }
 
-            if (string.IsNullOrWhiteSpace(context.Request.Headers[HttpKnownHeaderNames.SecWebSocketKey]))
+            string secWebSocketKey = context.Request.Headers[HttpKnownHeaderNames.SecWebSocketKey];
+            bool isSecWebSocketKeyInvalid = string.IsNullOrWhiteSpace(secWebSocketKey);
+            if (!isSecWebSocketKeyInvalid)
+            {
+                try
+                {
+                    // key must be 16 bytes then base64-encoded
+                    isSecWebSocketKeyInvalid = Convert.FromBase64String(secWebSocketKey).Length != 16;
+                }
+                catch
+                {
+                    isSecWebSocketKeyInvalid = true;
+                }
+            }
+            if (isSecWebSocketKeyInvalid)
             {
                 throw new WebSocketException(WebSocketError.HeaderError,
                     SR.Format(SR.net_WebSockets_AcceptHeaderNotFound,
@@ -177,4 +191,3 @@ private static void ValidateWebSocketHeaders(HttpListenerContext context)
         }
     }
 }
-
diff --git a/src/System.Net.HttpListener/tests/HttpListenerContextTests.cs b/src/System.Net.HttpListener/tests/HttpListenerContextTests.cs
@@ -53,9 +53,6 @@ public async Task AcceptWebSocketAsync_ValidSubProtocol_Success(string[] clientP
         }
 
         [ConditionalFact(nameof(IsNotWindows7OrUapCore))]
-        // Both the managed and Windows implementations send headers to the socket during connection.
-        // The Windows implementation fails with error code 1229: An operation was attempted on a nonexistent network connection.
-        [ActiveIssue(18128, TestPlatforms.AnyUnix)]
         public async Task AcceptWebSocketAsync_SocketSpoofingAsWebSocket_ThrowsWebSocketException()
         {
             await GetSocketContext(new string[] { "Connection: Upgrade", "Upgrade: websocket", "Sec-WebSocket-Version: 13", "Sec-WebSocket-Key: Key" }, async context =>

Original file line number	Diff line number	Diff line change
`@@ -167,7 +167,21 @@ private static void ValidateWebSocketHeaders(HttpListenerContext context)`
`167`	`167`	`SupportedVersion));`
`168`	`168`	`}`
`169`	`169`
`170`		`- if (string.IsNullOrWhiteSpace(context.Request.Headers[HttpKnownHeaderNames.SecWebSocketKey]))`
	`170`	`+ string secWebSocketKey = context.Request.Headers[HttpKnownHeaderNames.SecWebSocketKey];`
	`171`	`+ bool isSecWebSocketKeyInvalid = string.IsNullOrWhiteSpace(secWebSocketKey);`
	`172`	`+ if (!isSecWebSocketKeyInvalid)`
	`173`	`+ {`
	`174`	`+ try`
	`175`	`+ {`
	`176`	`+ // key must be 16 bytes then base64-encoded`
	`177`	`+ isSecWebSocketKeyInvalid = Convert.FromBase64String(secWebSocketKey).Length != 16;`
	`178`	`+ }`
	`179`	`+ catch`
	`180`	`+ {`
	`181`	`+ isSecWebSocketKeyInvalid = true;`
	`182`	`+ }`
	`183`	`+ }`
	`184`	`+ if (isSecWebSocketKeyInvalid)`
`171`	`185`	`{`
`172`	`186`	`throw new WebSocketException(WebSocketError.HeaderError,`
`173`	`187`	`SR.Format(SR.net_WebSockets_AcceptHeaderNotFound,`
`@@ -177,4 +191,3 @@ private static void ValidateWebSocketHeaders(HttpListenerContext context)`
`177`	`191`	`}`
`178`	`192`	`}`
`179`	`193`	`}`
`180`		`-`
Original file line number	Diff line number	Diff line change
`@@ -53,9 +53,6 @@ public async Task AcceptWebSocketAsync_ValidSubProtocol_Success(string[] clientP`
`53`	`53`	`}`
`54`	`54`
`55`	`55`	`[ConditionalFact(nameof(IsNotWindows7OrUapCore))]`
`56`		`- // Both the managed and Windows implementations send headers to the socket during connection.`
`57`		`- // The Windows implementation fails with error code 1229: An operation was attempted on a nonexistent network connection.`
`58`		`- [ActiveIssue(18128, TestPlatforms.AnyUnix)]`
`59`	`56`	`public async Task AcceptWebSocketAsync_SocketSpoofingAsWebSocket_ThrowsWebSocketException()`
`60`	`57`	`{`
`61`	`58`	`await GetSocketContext(new string[] { "Connection: Upgrade", "Upgrade: websocket", "Sec-WebSocket-Version: 13", "Sec-WebSocket-Key: Key" }, async context =>`