Branch: refs/heads/master
Home: https://github.com/conformal/btcwallet
Commit: e956d0b290a30053e36f32e1e94c70c95fa61343
https://github.com/conformal/btcwallet/commit/e956d0b290a30053e36f32e1e94c70c95fa61343
Author: Josh Rickmar <[email protected]>
Date: 2014-04-28 (Mon, 28 Apr 2014)
Changed paths:
M sockets.go
Log Message:
-----------
Immediately terminate improperly auth'd ws conns.
This fixes a bug with the authentication handling for websocket
clients where it was possible that even after supplying bad
authentication using the HTTP Authorization header, the connection
would remain open and flagged as unauthenticated, and clients (if they
somehow knew auth failed, although btcwallet would never tell them
until after they failed their next request) could try their hand at
authorization again by issuing an authenticate request.
While I don't know of any reason the above described bug could result
in a security leak, it's better to fail the connection as soon as
possible if they failed their first authentication attempt.
While here, also set a read deadline of 10 seconds for the first
request. If the initial handshake cannot complete in this timeframe,
the connection is terminated. This matches the behavior in btcd, and
prevents websocket clients from connecting without the Authorization
header and never issuing their first authenticate request.
