https://bz.apache.org/bugzilla/show_bug.cgi?id=66548
--- Comment #2 from Mark Thomas <ma...@apache.org> --- Throwing an exception isn't appropriate here. Just returning SC_BAD_REQUEST is sufficient. I'll note that RFC 6455 also states: "It is not necessary for the server to base64-decode the |Sec-WebSocket-Key| value." Which begs the question exactly how far should the server go to validate this value? Possible tests: a) length of 24 characters b) ends with "==" c) characters 0 to 21 are valid for use in base64 Or just decode and check the length despite RFC 6455 saying it is unnecessary. I think you either do a) + b) or do the full decode. c) -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
