/*! \internal */ void QWebSocketPrivate::processHandshake(QTcpSocket *pSocket) { Q_Q(QWebSocket); if (Q_UNLIKELY(!pSocket)) return; bool ok = false; QString errorDescription; const QString regExpStatusLine(QStringLiteral("^(HTTP/[0-9]+\\.[0-9]+)\\s([0-9]+)\\s(.*)")); const QRegularExpression regExp(regExpStatusLine); const QString statusLine = readLine(pSocket); QString httpProtocol; int httpStatusCode; QString httpStatusMessage; const QRegularExpressionMatch match = regExp.match(statusLine); if (Q_LIKELY(match.hasMatch())) { QStringList tokens = match.capturedTexts(); tokens.removeFirst(); //remove the search string if (tokens.length() == 3) { httpProtocol = tokens[0]; httpStatusCode = tokens[1].toInt(); httpStatusMessage = tokens[2].trimmed(); ok = true; } } if (Q_UNLIKELY(!ok)) { errorDescription = QWebSocket::tr("Invalid statusline in response: %1.").arg(statusLine); } else { QString headerLine = readLine(pSocket); QMap<QString, QString> headers; while (!headerLine.isEmpty()) { const QStringList headerField = headerLine.split(QStringLiteral(": "), QString::SkipEmptyParts); if (headerField.size() == 2) { headers.insertMulti(headerField[0].toLower(), headerField[1]); } headerLine = readLine(pSocket); } const QString acceptKey = headers.value(QStringLiteral("sec-websocket-accept"), QString()); const QString upgrade = headers.value(QStringLiteral("upgrade"), QString()); const QString connection = headers.value(QStringLiteral("connection"), QString()); // unused for the moment // const QString extensions = headers.value(QStringLiteral("sec-websocket-extensions"), // QString()); // const QString protocol = headers.value(QStringLiteral("sec-websocket-protocol"), // QString()); const QString version = headers.value(QStringLiteral("sec-websocket-version"), QString()); if (Q_LIKELY(httpStatusCode == 101)) { //HTTP/x.y 101 Switching Protocols bool conversionOk = false; const float version = httpProtocol.midRef(5).toFloat(&conversionOk); //TODO: do not check the httpStatusText right now ok = !(acceptKey.isEmpty() || (!conversionOk || (version < 1.1f)) || (upgrade.toLower() != QStringLiteral("websocket")) || (connection.toLower() != QStringLiteral("upgrade"))); if (ok) { const QString accept = calculateAcceptKey(m_key); ok = (accept == acceptKey); if (!ok) errorDescription = QWebSocket::tr("Accept-Key received from server %1 does not match the client key %2.") .arg(acceptKey).arg(accept); } else { errorDescription = QWebSocket::tr("QWebSocketPrivate::processHandshake: Invalid statusline in response: %1.") .arg(statusLine); } } else if (httpStatusCode == 400) { //HTTP/1.1 400 Bad Request if (!version.isEmpty()) { const QStringList versions = version.split(QStringLiteral(", "), QString::SkipEmptyParts); if (!versions.contains(QString::number(QWebSocketProtocol::currentVersion()))) { //if needed to switch protocol version, then we are finished here //because we cannot handle other protocols than the RFC one (v13) errorDescription = QWebSocket::tr("Handshake: Server requests a version that we don't support: %1.") .arg(versions.join(QStringLiteral(", "))); ok = false; } else { //we tried v13, but something different went wrong errorDescription = QWebSocket::tr("QWebSocketPrivate::processHandshake: Unknown error condition encountered. Aborting connection."); ok = false; } } } else { errorDescription = QWebSocket::tr("QWebSocketPrivate::processHandshake: Unhandled http status code: %1 (%2).") .arg(httpStatusCode).arg(httpStatusMessage); ok = false; } if (!ok) { setErrorString(errorDescription); Q_EMIT q->error(QAbstractSocket::ConnectionRefusedError); } else { //handshake succeeded setSocketState(QAbstractSocket::ConnectedState); Q_EMIT q->connected(); } } }
/*! \internal */ void WebSocket::processHandshake(QTcpSocket *pSocket) { if (pSocket == 0) { return; } bool ok = false; QString errorDescription; const QString regExpStatusLine("^(HTTP/1.1)\\s([0-9]+)\\s(.*)"); const QRegExp regExp(regExpStatusLine); QString statusLine = readLine(pSocket); QString httpProtocol; int httpStatusCode; QString httpStatusMessage; if (regExp.indexIn(statusLine) != -1) { QStringList tokens = regExp.capturedTexts(); tokens.removeFirst(); //remove the search string if (tokens.length() == 3) { httpProtocol = tokens[0]; httpStatusCode = tokens[1].toInt(); httpStatusMessage = tokens[2].trimmed(); ok = true; } } if (!ok) { errorDescription = "WebSocket::processHandshake: Invalid statusline in response: " + statusLine; } else { QString headerLine = readLine(pSocket); QMap<QString, QString> headers; while (!headerLine.isEmpty()) { QStringList headerField = headerLine.split(QString(": "), QString::SkipEmptyParts); headers.insertMulti(headerField[0], headerField[1]); headerLine = readLine(pSocket); } QString acceptKey = headers.value("Sec-WebSocket-Accept", ""); QString upgrade = headers.value("Upgrade", ""); QString connection = headers.value("Connection", ""); QString extensions = headers.value("Sec-WebSocket-Extensions", ""); QString protocol = headers.value("Sec-WebSocket-Protocol", ""); QString version = headers.value("Sec-WebSocket-Version", ""); if (httpStatusCode == 101) //HTTP/1.1 101 Switching Protocols { //TODO: do not check the httpStatusText right now ok = !(acceptKey.isEmpty() || (httpProtocol.toLower() != "http/1.1") || (upgrade.toLower() != "websocket") || (connection.toLower() != "upgrade")); if (ok) { QString accept = calculateAcceptKey(m_key); ok = (accept == acceptKey); if (!ok) { errorDescription = "WebSocket::processHandshake: Accept-Key received from server " + acceptKey + " does not match the client key " + accept; } } else { errorDescription = "WebSocket::processHandshake: Invalid statusline in response: " + statusLine; } } else if (httpStatusCode == 400) //HTTP/1.1 400 Bad Request { if (!version.isEmpty()) { QStringList versions = version.split(", ", QString::SkipEmptyParts); if (!versions.contains("13")) { //if needed to switch protocol version, then we are finished here //because we cannot handle other protocols than the RFC one (v13) errorDescription = "WebSocket::processHandshake: Server requests a version that we don't support: " + versions.join(", "); ok = false; } else { //we tried v13, but something different went wrong errorDescription = "WebSocket::processHandshake: Unknown error condition encountered. Aborting connection."; ok = false; } } } else { errorDescription = "WebSocket::processHandshake: Unhandled http status code " + QString::number(httpStatusCode); ok = false; } if (!ok) { qDebug() << errorDescription; setErrorString(errorDescription); Q_EMIT error(QAbstractSocket::ConnectionRefusedError); } else { //handshake succeeded setSocketState(QAbstractSocket::ConnectedState); Q_EMIT connected(); } } }
/*! \internal */ void QWebSocketPrivate::processHandshake(QTcpSocket *pSocket) { Q_Q(QWebSocket); if (Q_UNLIKELY(!pSocket)) return; // Reset handshake on a new connection. if (m_handshakeState == AllDoneState) m_handshakeState = NothingDoneState; QString errorDescription; switch (m_handshakeState) { case NothingDoneState: m_headers.clear(); m_handshakeState = ReadingStatusState; // no break case ReadingStatusState: if (!pSocket->canReadLine()) return; m_statusLine = pSocket->readLine(); if (Q_UNLIKELY(!parseStatusLine(m_statusLine, &m_httpMajorVersion, &m_httpMinorVersion, &m_httpStatusCode, &m_httpStatusMessage))) { errorDescription = QWebSocket::tr("Invalid statusline in response: %1.").arg(QString::fromLatin1(m_statusLine)); break; } m_handshakeState = ReadingHeaderState; // no break case ReadingHeaderState: while (pSocket->canReadLine()) { QString headerLine = readLine(pSocket); const QStringList headerField = headerLine.split(QStringLiteral(": "), QString::SkipEmptyParts); if (headerField.size() == 2) { m_headers.insertMulti(headerField[0].toLower(), headerField[1]); } if (headerField.isEmpty()) { m_handshakeState = ParsingHeaderState; break; } } if (m_handshakeState != ParsingHeaderState) { if (pSocket->atEnd()) { errorDescription = QWebSocket::tr("QWebSocketPrivate::processHandshake: Connection closed while reading header."); break; } return; } // no break case ParsingHeaderState: { const QString acceptKey = m_headers.value(QStringLiteral("sec-websocket-accept"), QString()); const QString upgrade = m_headers.value(QStringLiteral("upgrade"), QString()); const QString connection = m_headers.value(QStringLiteral("connection"), QString()); // unused for the moment // const QString extensions = m_headers.value(QStringLiteral("sec-websocket-extensions"), // QString()); // const QString protocol = m_headers.value(QStringLiteral("sec-websocket-protocol"), // QString()); const QString version = m_headers.value(QStringLiteral("sec-websocket-version"), QString()); bool ok = false; if (Q_LIKELY(m_httpStatusCode == 101)) { //HTTP/x.y 101 Switching Protocols //TODO: do not check the httpStatusText right now ok = !(acceptKey.isEmpty() || (m_httpMajorVersion < 1 || m_httpMinorVersion < 1) || (upgrade.toLower() != QStringLiteral("websocket")) || (connection.toLower() != QStringLiteral("upgrade"))); if (ok) { const QString accept = calculateAcceptKey(m_key); ok = (accept == acceptKey); if (!ok) errorDescription = QWebSocket::tr("Accept-Key received from server %1 does not match the client key %2.") .arg(acceptKey).arg(accept); } else { errorDescription = QWebSocket::tr("QWebSocketPrivate::processHandshake: Invalid statusline in response: %1.") .arg(QString::fromLatin1(m_statusLine)); } } else if (m_httpStatusCode == 400) { //HTTP/1.1 400 Bad Request if (!version.isEmpty()) { const QStringList versions = version.split(QStringLiteral(", "), QString::SkipEmptyParts); if (!versions.contains(QString::number(QWebSocketProtocol::currentVersion()))) { //if needed to switch protocol version, then we are finished here //because we cannot handle other protocols than the RFC one (v13) errorDescription = QWebSocket::tr("Handshake: Server requests a version that we don't support: %1.") .arg(versions.join(QStringLiteral(", "))); } else { //we tried v13, but something different went wrong errorDescription = QWebSocket::tr("QWebSocketPrivate::processHandshake: Unknown error condition encountered. Aborting connection."); } } else { errorDescription = QWebSocket::tr("QWebSocketPrivate::processHandshake: Unknown error condition encountered. Aborting connection."); } } else { errorDescription = QWebSocket::tr("QWebSocketPrivate::processHandshake: Unhandled http status code: %1 (%2).") .arg(m_httpStatusCode).arg(m_httpStatusMessage); } if (ok) m_handshakeState = AllDoneState; break; } case AllDoneState: Q_UNREACHABLE(); break; } if (m_handshakeState == AllDoneState) { // handshake succeeded setSocketState(QAbstractSocket::ConnectedState); Q_EMIT q->connected(); } else { // handshake failed m_handshakeState = AllDoneState; setErrorString(errorDescription); Q_EMIT q->error(QAbstractSocket::ConnectionRefusedError); } }
/*! \internal */ QString QWebSocketHandshakeResponse::getHandshakeResponse( const QWebSocketHandshakeRequest &request, const QString &serverName, bool isOriginAllowed, const QList<QWebSocketProtocol::Version> &supportedVersions, const QList<QString> &supportedProtocols, const QList<QString> &supportedExtensions) { QStringList response; m_canUpgrade = false; if (!isOriginAllowed) { if (!m_canUpgrade) { m_error = QWebSocketProtocol::CC_POLICY_VIOLATED; m_errorString = ("Access forbidden."); response << QStringLiteral("HTTP/1.1 403 Access Forbidden"); } } else { if (request.isValid()) { const QString acceptKey = calculateAcceptKey(request.key()); const QList<QString> matchingProtocols = supportedProtocols.toSet().intersect(request.protocols().toSet()).toList(); const QList<QString> matchingExtensions = supportedExtensions.toSet().intersect(request.extensions().toSet()).toList(); QList<QWebSocketProtocol::Version> matchingVersions = request.versions().toSet().intersect(supportedVersions.toSet()).toList(); std::sort(matchingVersions.begin(), matchingVersions.end(), std::greater<QWebSocketProtocol::Version>()); //sort in descending order if (Q_UNLIKELY(matchingVersions.isEmpty())) { m_error = QWebSocketProtocol::CC_PROTOCOL_ERROR; m_errorString = ("Unsupported version requested."); m_canUpgrade = false; } else { response << QStringLiteral("HTTP/1.1 101 Switching Protocols") << QStringLiteral("Upgrade: websocket") << QStringLiteral("Connection: Upgrade") << QStringLiteral("Sec-WebSocket-Accept: ") % acceptKey; if (!matchingProtocols.isEmpty()) { m_acceptedProtocol = matchingProtocols.first(); response << QStringLiteral("Sec-WebSocket-Protocol: ") % m_acceptedProtocol; } if (!matchingExtensions.isEmpty()) { m_acceptedExtension = matchingExtensions.first(); response << QStringLiteral("Sec-WebSocket-Extensions: ") % m_acceptedExtension; } QString origin = request.origin().trimmed(); if (origin.isEmpty()) origin = QStringLiteral("*"); response << QStringLiteral("Server: ") % serverName << QStringLiteral("Access-Control-Allow-Credentials: false") << QStringLiteral("Access-Control-Allow-Methods: GET") << QStringLiteral("Access-Control-Allow-Headers: content-type") << QStringLiteral("Access-Control-Allow-Origin: ") % origin << QStringLiteral("Date: ") % QDateTime::currentDateTimeUtc() .toString(QStringLiteral("ddd, dd MMM yyyy hh:mm:ss 'GMT'")); m_acceptedVersion = QWebSocketProtocol::currentVersion(); m_canUpgrade = true; } } else { m_error = QWebSocketProtocol::CC_PROTOCOL_ERROR; m_errorString = ("Bad handshake request received."); m_canUpgrade = false; } if (Q_UNLIKELY(!m_canUpgrade)) { response << QStringLiteral("HTTP/1.1 400 Bad Request"); QStringList versions; Q_FOREACH (QWebSocketProtocol::Version version, supportedVersions) versions << QString::number(static_cast<int>(version)); response << QStringLiteral("Sec-WebSocket-Version: ") % versions.join(QStringLiteral(", ")); } } response << QStringLiteral("\r\n"); //append empty line at end of header return response.join(QStringLiteral("\r\n")); }
/*! \internal */ QString QWebSocketHandshakeResponse::getHandshakeResponse( const QWebSocketHandshakeRequest &request, const QString &serverName, bool isOriginAllowed, const QList<QWebSocketProtocol::Version> &supportedVersions, const QList<QString> &supportedProtocols, const QList<QString> &supportedExtensions) { QStringList response; m_canUpgrade = false; if (!isOriginAllowed) { if (!m_canUpgrade) { m_error = QWebSocketProtocol::CloseCodePolicyViolated; m_errorString = tr("Access forbidden."); response << QStringLiteral("HTTP/1.1 403 Access Forbidden"); } } else { if (request.isValid()) { const QString acceptKey = calculateAcceptKey(request.key()); const QList<QString> matchingProtocols = supportedProtocols.toSet().intersect(request.protocols().toSet()).toList(); //TODO: extensions must be kept in the order in which they arrive //cannot use set.intersect() to get the supported extensions const QList<QString> matchingExtensions = supportedExtensions.toSet().intersect(request.extensions().toSet()).toList(); QList<QWebSocketProtocol::Version> matchingVersions = request.versions().toSet().intersect(supportedVersions.toSet()).toList(); std::sort(matchingVersions.begin(), matchingVersions.end(), std::greater<QWebSocketProtocol::Version>()); //sort in descending order if (Q_UNLIKELY(matchingVersions.isEmpty())) { m_error = QWebSocketProtocol::CloseCodeProtocolError; m_errorString = tr("Unsupported version requested."); m_canUpgrade = false; } else { response << QStringLiteral("HTTP/1.1 101 Switching Protocols") << QStringLiteral("Upgrade: websocket") << QStringLiteral("Connection: Upgrade") << QStringLiteral("Sec-WebSocket-Accept: ") % acceptKey; if (!matchingProtocols.isEmpty()) { m_acceptedProtocol = matchingProtocols.first(); response << QStringLiteral("Sec-WebSocket-Protocol: ") % m_acceptedProtocol; } if (!matchingExtensions.isEmpty()) { m_acceptedExtension = matchingExtensions.first(); response << QStringLiteral("Sec-WebSocket-Extensions: ") % m_acceptedExtension; } QString origin = request.origin().trimmed(); if (origin.contains(QStringLiteral("\r\n")) || serverName.contains(QStringLiteral("\r\n"))) { m_error = QWebSocketProtocol::CloseCodeAbnormalDisconnection; m_errorString = tr("One of the headers contains a newline. " \ "Possible attack detected."); m_canUpgrade = false; } else { if (origin.isEmpty()) origin = QStringLiteral("*"); response << QStringLiteral("Server: ") % serverName << QStringLiteral("Access-Control-Allow-Credentials: false") << QStringLiteral("Access-Control-Allow-Methods: GET") << QStringLiteral("Access-Control-Allow-Headers: content-type") << QStringLiteral("Access-Control-Allow-Origin: ") % origin << QStringLiteral("Date: ") % QDateTime::currentDateTimeUtc() .toString(QStringLiteral("ddd, dd MMM yyyy hh:mm:ss 'GMT'")); m_acceptedVersion = QWebSocketProtocol::currentVersion(); m_canUpgrade = true; } } } else { m_error = QWebSocketProtocol::CloseCodeProtocolError; m_errorString = tr("Bad handshake request received."); m_canUpgrade = false; } if (Q_UNLIKELY(!m_canUpgrade)) { response << QStringLiteral("HTTP/1.1 400 Bad Request"); QStringList versions; Q_FOREACH (const QWebSocketProtocol::Version &version, supportedVersions) versions << QString::number(static_cast<int>(version)); response << QStringLiteral("Sec-WebSocket-Version: ") % versions.join(QStringLiteral(", ")); } }