[fpc-pascal] fcl-web websocket
Michael Van Canneyt
michael at freepascal.org
Tue Dec 27 09:39:08 CET 2022
On Mon, 26 Dec 2022, Andrew Haines wrote:
>
> On 12/26/22 8:48 AM, Michael Van Canneyt via fpc-pascal wrote:
>>
>>
>> Please make a version of your program that does not use the LCL.
>> Then I'll test that too.
>>
>> 2 reasons for this request: - I don't have a working version of Lazarus
>> with FPC trunk.
>> - I want to exclude the problems of dealing with the main application
>> message loop.
>>
>>
> I attached a console version. It uses threads. If this is useful at all
> please feel free to add it to the examples and modify it however you want.
>
> I found the problem. First was the problem of no data being read, which you
> fixed by changing the inheritance. But the second problem is that the
> OutgoingFrameMask value was not being used. In the rfc section 5.2 it states
> in the Mask bit explanation that all frames sent from a client must be
> masked. Unfortunately the echo server was not giving a close frame with a
> protocol error which would have been useful.
Hm.
I can say with certainty then that not all server implementations check this :)
>
> In the attached patch there are 3 hunks that include the OutgoingFrameMask
> with the payload. The rest of the patch is about handling a connection that
> encounters an error sending data. I added an exception and also a flag that
> ignores the exception and tries to close gracefully.
>
> You can compile the console client I sent without applying the patch to see
> how it was failing before. There are default servers to choose from.
Indeed, I can confirm the problem, and that your patch fixes it.
>
> Maybe in the client, the constructor should pick a mask at random by default
> since all frames from the client are supposed to be masked anyway.
Good suggestion. I will add this.
> Section
> 5.3 has some strong language about the random mask having a strong entropy
> source. It actually says each frame should have a new unique mask so I'm not
> sure the OutgoingFrameMask property really makes sense since the mask is
> given to the connection only once when the connection is created. I doubt
> most server implementations care about this.
Indeed, see above.
The whole mask idea is shaky anyway.
The mask is sent in the frame, so that's pretty useless for security, which
begs the question why it was needed in the first place. If one wants secure
connections, one should use the wss protocol. Probably the reason why most
servers don't care too much about it.
Anyway: I have applied the patch, and added your example with some minor
modifications. Thank you for both !
Michael.
More information about the fpc-pascal
mailing list