Skip to content

Harden WebSocket transport and permessage-deflate for RFC 6455/7692 conformance#847

Open
arturobernalg wants to merge 1 commit into
apache:masterfrom
arturobernalg:websocket-rfc6455-conformance
Open

Harden WebSocket transport and permessage-deflate for RFC 6455/7692 conformance#847
arturobernalg wants to merge 1 commit into
apache:masterfrom
arturobernalg:websocket-rfc6455-conformance

Conversation

@arturobernalg

Copy link
Copy Markdown
Member

Fixed permessage-deflate fragmentation and the SYNC_FLUSH drain in both stacks, derived the client masking key from SecureRandom, and failed the connection on RSV1 control frames and on a data frame received mid-fragment.
Bounded the HTTP/2 server inbound window and outbound queue, rejected a 64-bit length with the MSB set, enforced the 125-byte control frame limit, and truncated the CLOSE reason.
Deduplicated extension offers by name, released the Deflater and Inflater on session end, accepted any 2xx Extended CONNECT response, and guarded the H2 transport against a cancelled selection key on shutdown.
Added tests for each; the module suite passes and checkstyle is clean.

@arturobernalg arturobernalg force-pushed the websocket-rfc6455-conformance branch from c22149a to 3e03738 Compare July 12, 2026 17:34
… conformance

Fixed the client permessage-deflate encoder, which stripped the flush trailer on every
fragment and could truncate a SYNC_FLUSH, so a compressed message split across frames now
decodes; the frame writer derives the masking key from SecureRandom. The session engine fails
the connection on RSV1 set on a control frame, no longer delivers a truncated message after a
1009 close, and the HTTP/2 transport treats a selection key cancelled during shutdown as a
gone channel instead of raising CancelledKeyException.

On the server side the HTTP/2 handler advertises a bounded inbound flow-control window and
back-pressures a bounded outbound queue, the frame reader rejects a 64-bit length with the
most significant bit set, the frame writer enforces the 125-byte control frame limit and
truncates the CLOSE reason, the processor fails a data frame received in the middle of a
fragmented message, and extension negotiation accepts a given extension name only once. Both
permessage-deflate implementations release their Deflater and Inflater when the session ends,
and the HTTP/2 client accepts any 2xx handshake response.
@arturobernalg arturobernalg force-pushed the websocket-rfc6455-conformance branch from 3e03738 to aa9ecce Compare July 12, 2026 19:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant