Browse Source
fix a DoS against websocket clients
I assumed gorilla validated UTF8 for incoming text messages. In fact, the
documentation states:
>It is the application's responsibility to ensure that text messages
>are valid UTF-8 encoded text.
and this applies to both incoming and outgoing messages. Consequently,
even when enforce-utf8 is enabled, it was possible to send invalid UTF8
to Ergo inside a websocket text frame. This data would be incorrectly
considered valid UTF8, and could be relayed to other clients, including
to websocket clients inside a text frame. The resulting frame would violate
the websocket protocol, causing web clients to be disconnected.
tags/v2.11.1